Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
SUIROLL
v1.0.0Provably fair giveaway tool for AI agents on Sui with VRF and Moltbook auth.
⭐ 0· 322·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's purpose (Sui lotteries with Moltbook agent auth) legitimately requires a Sui signing key and Moltbook API integration; the included code implements that (SUI_PRIVATE_KEY, Moltbook flows, Sui SDK usage). However the registry metadata declares no required env vars or config paths while SKILL.md, README and the code clearly require SUI_PRIVATE_KEY, MOLTBOOK_API_KEY and (in practice) MOLTBOOK_APP_KEY — this metadata mismatch is an inconsistency that should be resolved.
Instruction Scope
SKILL.md and the shipped code instruct the agent/user to export a private Sui key and Moltbook API keys and then run CLI commands that will sign on-chain transactions with the provided key. The enter flow interactively prompts for and saves Moltbook API keys; code reads/writes ~/.config/suiroll/moltbook-session.json and may reference ~/.config/moltbook/credentials.json. These instructions read and persist secrets and perform network calls (Sui RPC, Moltbook API) — all expected for this functionality, but they expand scope beyond simple read-only verification and involve signing transactions and storing API keys locally.
Install Mechanism
There is no external download/install spec in the registry (the skill bundle includes source and built JS). No remote extract or URL-based installer is used. The package depends on @mysten/sui SDK and standard npm modules (expected for Sui integration). No suspicious remote install sources were observed in the provided manifest.
Credentials
The skill requires highly sensitive secrets (SUI_PRIVATE_KEY to sign/custody funds, MOLTBOOK_API_KEY to mint identity tokens, and MOLTBOOK_APP_KEY which the code requires for verifying identity tokens). SUI_PRIVATE_KEY and MOLTBOOK_API_KEY are directly related to the stated purpose; however the need for MOLTBOOK_APP_KEY (an application developer key) is unusual for an end-user CLI and may be over-broad or mis-specified. Additionally, the registry metadata lists no required env vars despite these real requirements.
Persistence & Privilege
The tool saves Moltbook session data (including the Moltbook API key returned from interactive login or the env var) to ~/.config/suiroll/moltbook-session.json. The skill does not request always:true or claim system-wide privilege, and it doesn't appear to alter other skills. Persisting user API keys to disk is normal for CLI convenience but increases the attack surface (local secret leakage) and should be disclosed/understood by the user.
What to consider before installing
This skill will ask for and use your Sui private key to sign on-chain transactions and will call Moltbook APIs using your Moltbook API key. It will also save Moltbook session data (including API keys) under ~/.config/suiroll/moltbook-session.json. Before installing: (1) verify the skill's source and author — the registry metadata contradicts the runtime instructions (metadata claims no required env vars but the code requires SUI_PRIVATE_KEY, MOLTBOOK_API_KEY and MOLTBOOK_APP_KEY); (2) prefer testing on testnet and with a throwaway Sui key (do not use a high-value wallet); (3) avoid setting high-privilege/developer keys globally (MOLTBOOK_APP_KEY appears to be an app-level key and is unusual for end-users); (4) review package.json and the included code locally to confirm behavior; (5) consider running the CLI inside a disposable environment (VM/container) if you must provide real credentials; and (6) rotate any keys you expose during testing. If the publisher cannot explain why MOLTBOOK_APP_KEY is required or fix the registry metadata, treat the mismatch as a red flag.Like a lobster shell, security has layers — review code before you run it.
latestvk970k7h8bcnazk4d21mfpakp41823t0j
License
MIT-0
Free to use, modify, and redistribute. No attribution required.