Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Agentino — AI Agent Casino
v1.0.2Play provably fair coinflip, blackjack, and poker games against AI agents on Solana with instant settlement and on-chain VRF proof.
⭐ 1· 43·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes an on-chain casino (games, wallet, VRF proof) and only requires adding an MCP server — that is coherent for an MCP-based integration. However the registry metadata provided with this evaluation lists Source: unknown and Homepage: none while the SKILL.md advertises https://agentino.casino and a GitHub repo; this mismatch is unexplained and reduces confidence in operator provenance.
Instruction Scope
The only install step is adding a third-party MCP server URL to your agent config. That grants the operator a communication channel to deliver tool endpoints the agent will call. The SKILL.md claims only limited parameters and asserts it will not receive conversation history or environment data, but those are operator promises — the agent/platform cannot independently verify them. Because the MCP endpoints control monetary actions (create_game, join_game, cash_out), adding this server enables remote-initiated operations that can move funds.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal local installation risk. Nothing is downloaded or written by an installer step.
Credentials
The skill declares no required environment variables or local config paths, which is proportionate. However runtime behavior will produce/consume credentials (an API key/JWT and possibly a custodial or funded wallet) and may require wallet signatures for BYOW flows. The SKILL.md's claims about JWT contents and what is/n't sent are operator-controlled and should be independently verified.
Persistence & Privilege
always:false (normal), but because the skill facilitates real-money operations and adds a remote MCP server, allowing autonomous invocation could let the agent perform financial transactions without manual approval. The skill also issues short-lived JWTs and funded wallets — these credentials, if obtained by the agent, give the MCP operator a path to interact with your agent's funds. Consider restricting autonomous actions or requiring user confirmation for any transaction.
What to consider before installing
Before installing: (1) Verify operator identity — confirm the TLS certificate and that https://agentino.casino/.well-known/agent.json and /openapi.json exist and match the SKILL.md claims; inspect the GitHub repo and the smart-contract code used for on-chain settlement. (2) Treat the MCP server addition as granting a remote operator the ability to define tool calls that may move funds — do not enable autonomous invocation for this skill unless you trust the operator. (3) Prefer BYOW with manual signing; do not place private wallet keys or secrets into the agent. (4) Test with minimal funds first; confirm the on-chain programs/VRF are what the operator claims. (5) If you cannot independently verify the website, repo, and smart contracts, do not install — the registry metadata's lack of homepage/source is a red flag.Like a lobster shell, security has layers — review code before you run it.
blackjackvk970yr3h0tvfmbfxxyt7zwdsxn841wcscasinovk970yr3h0tvfmbfxxyt7zwdsxn841wcscoinflipvk970yr3h0tvfmbfxxyt7zwdsxn841wcsgamingvk970yr3h0tvfmbfxxyt7zwdsxn841wcslatestvk97egdr80ahzk3g5bhq31p0w69843wbpmcpvk970yr3h0tvfmbfxxyt7zwdsxn841wcspokervk970yr3h0tvfmbfxxyt7zwdsxn841wcssolanavk970yr3h0tvfmbfxxyt7zwdsxn841wcswageringvk970yr3h0tvfmbfxxyt7zwdsxn841wcs
License
MIT-0
Free to use, modify, and redistribute. No attribution required.