Pluginv1.0.2

ClawScan security

StakeWise Staking · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 20, 2026, 1:18 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The code and instructions implement the advertised StakeWise data proxy and look consistent, but the SKILL.md asks you to relax OpenClaw's execution security (allow the model to run curl without prompting) which is disproportionate and increases risk — review the setup choices before installing.
Guidance: What to consider before installing: - The code itself implements a local HTTP proxy that fetches StakeWise SDK and subgraph data from expected endpoints (stakewise subgraph and public Ethereum RPCs). That part looks coherent with the advertised purpose. - The SKILL.md asks you to set OpenClaw to tools.exec.security=full and tools.exec.ask=off so the model can run curl without prompting. This is the main risk: it grants the model broad, unprompted command execution on your machine. You should not enable this unless you fully trust the plugin source and understand the consequences. - Safer alternatives: - Run the included server yourself (npx @stakewise/llm-tools) in a controlled environment and do NOT flip OpenClaw to full exec; instead, use manual calls from your terminal or keep the 'ask' prompts enabled. - Use MCP stdio mode (the SKILL.md already documents npx/tsx approaches) rather than enabling global full exec. - Inspect package.json and any postinstall or bin scripts before running npx. Prefer installing in an isolated container or VM if you want to test. - Be aware the server stores the provided Ethereum address in memory and will include it in responses; do not save sensitive keys or private keys here (the skill never asks for private keys and you should never provide them). - Verify the GitHub repository and npm publisher (the SKILL.md includes a GitHub link). If you trust StakeWise and/or the repo's maintainers and plan to run the server locally under your control (without granting the model global exec rights), the tool appears coherent. If you are not comfortable relaxing OpenClaw's execution prompts, do not apply the recommended global settings.

Review Dimensions

Purpose & Capability: concernThe skill's name, description, and code all align with providing StakeWise on‑chain and subgraph data. However, the SKILL.md instructs users to change global OpenClaw settings to 'tools.exec.security full' and 'tools.exec.ask off' so the model can run curl against a local server. Granting global, unprompted command execution is not strictly necessary to fetch StakeWise data (the package already includes an MCP mode via npx) and is disproportionate to the stated purpose.
Instruction Scope: concernRuntime instructions tell the model to call a local HTTP proxy (http://127.0.0.1:5165) via curl and to save a user's Ethereum address in the server's in‑memory session. The endpoints and operations are narrowly scoped to StakeWise data. The problematic instruction is the explicit guidance to disable execution prompts and set full exec security — that expands what the model may run beyond the narrow curl calls the skill needs.
Install Mechanism: noteThere is no explicit install spec in the registry metadata (instruction-only), but the package includes a full Node project and recommends using openclaw plugins install or npx/@stakewise/llm-tools (and a global tsx for some clients). Using npx is normal; no suspicious remote download URLs are present. The requirement to install tsx globally is a minor friction but not inherently malicious.
Credentials: noteThe skill requests no environment variables or external credentials. It stores a user-provided Ethereum address in server memory for the session (and will return it in responses). That behavior is expected, but be aware the address is kept in‑process and may be returned by endpoints.
Persistence & Privilege: concernThe skill is not always-enabled and does not request special platform credentials. However, the SKILL.md explicitly tells users to change OpenClaw global execution settings (granting the model full command execution and turning off ask prompts). Combined with autonomous invocation being allowed by default, this broadens the model's effective privileges and increases risk if a compromised or malicious model invocation runs arbitrary commands.