Is clawrencestreme/streme-launcher safe?
https://github.com/openclaw/skills/tree/main/skills/clawrencestreme/streme-launcher
streme-launcher is a functionally coherent Streme protocol token deployment skill for Base mainnet with no prompt injection, hidden instructions, or observed data exfiltration. The primary risks are financial rather than malicious: a malformed STAKING_FACTORY_V2 address (21 bytes, invalid) would cause transaction failures, the five other contract addresses cannot be independently verified within the audit scope, and the skill's default configuration immediately triggers irreversible mainnet transactions requiring a funded wallet private key in the agent environment. The .clawhub/lock.json anomaly and canary file reads were attributed to the audit framework, not the skill.
Category Scores
Findings (7)
HIGH Malformed Ethereum address for STAKING_FACTORY_V2 -20 ▶
In references/contracts.md, the STAKING_FACTORY_V2 constant is assigned 0xC749105bc4b4eA6285dBBe2E3A36C2B899233d02c0, which is 21 bytes (42 hex chars after 0x prefix). Ethereum addresses are 20 bytes. This is an invalid address that will either cause an ABI encoding error at runtime or silently corrupt encoded calldata, leading to failed or mis-routed transactions.
HIGH Wallet private key required in agent environment -20 ▶
The deploy-token.ts script reads PRIVATE_KEY from process.env and passes it to viem's privateKeyToAccount(). For an agent to execute this skill, the wallet private key must be present in the environment. This creates a large credential exposure surface — any skill co-loaded with this one that reads environment variables could capture the key.
MEDIUM Unverifiable contract addresses controlling token economics -15 ▶
The skill hardcodes five contract addresses (DEPLOYER, TOKEN_FACTORY, ALLOCATION_HOOK, LP_FACTORY, MAIN_STREME) that are presented as the official Streme protocol. If any of these have been replaced with attacker-controlled contracts, tokens deployed via this skill could be drained, the allocation hook could reroute staking rewards, or the LP factory could steal liquidity. The audit environment cannot verify these addresses against on-chain source code.
MEDIUM Irreversible mainnet financial transactions with no safeguards -20 ▶
The skill deploys tokens to Base mainnet with no confirmation step, no testnet option, and no gas estimation shown to the user before execution. An agent invoking this skill based on an ambiguous user request (e.g., 'create a token') would immediately broadcast an irreversible blockchain transaction. The default supply of 100B tokens and 10% fee structures commit the user to specific economic parameters they may not have reviewed.
LOW Third-party image service credentials exposed to agent -8 ▶
The upload-image.ts script and SKILL.md examples instruct the agent to handle PINATA_JWT, CLOUDINARY_API_KEY, CLOUDINARY_API_SECRET, and IMGBB_API_KEY. These credentials must be accessible in the agent environment for image upload to function, increasing the credential surface area accessible to the agent runtime.
LOW Lock file references unrelated skill (academic-research-hub) -5 ▶
The .clawhub/lock.json bundled inside the skill package contains a record for academic-research-hub v0.1.0 installed at 1770957475341. This file does not belong to the streme-launcher skill and suggests the package was assembled from a workspace that had other skills installed, indicating sloppy packaging hygiene or possible metadata contamination.
INFO Post-install network connections from openclaw-gateway, not skill 0 ▶
Two established TCP connections to 34.233.6.177:443 (AWS) and two listening ports (18790, 18793) appeared after install, all attributed to the openclaw-gateway process (pid 1086). These are components of the audit monitoring infrastructure, not the skill under test. The skill itself produced no new network connections.