Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
EdgeBets
v1.0.4AI-powered sports betting simulations with Monte Carlo analysis
⭐ 0· 85·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description (Monte Carlo sports betting with Solana/x402 payments) aligns with the code and SKILL.md: the SDK includes payment and simulation services and calls to an EdgeBets API. Requesting a Solana private key is consistent with an SDK that must sign Solana payments, but the registry metadata marks no primary credential while SKILL.md declares SOLANA_PRIVATE_KEY — this mismatch is unexpected.
Instruction Scope
SKILL.md explicitly instructs the agent to set SOLANA_PRIVATE_KEY and use the SDK to fetch games and initiate paid simulations; it does not instruct reading arbitrary system files or exfiltrating unrelated data. README examples also show reading a local wallet file (e.g., ~/.config/solana/id.json) — this is example code but increases the chance the SDK will be used to load private keys from disk if users follow examples.
Install Mechanism
There is no external download/install spec; full SDK source is included in the package (package.json, dist/, src/). Dependencies are standard (@solana/web3.js, @solana/spl-token). No suspicious remote install URLs or archive extraction were found.
Credentials
The skill requires SOLANA_PRIVATE_KEY (a full wallet secret) which grants unrestricted access to funds in that wallet. That is functionally required to perform automated Solana payments, but it is highly sensitive and should be treated with caution. Additionally, the registry metadata lists no primary credential while SKILL.md requires SOLANA_PRIVATE_KEY — an inconsistency that reduces clarity about the skill's intended secret handling.
Persistence & Privilege
Skill does not request always:true and does not appear to modify other skills or system settings. Autonomous invocation is allowed (platform default) but not combined with other high-risk flags.
What to consider before installing
This SDK appears to be a legitimate sports-simulation client that charges a small USDC fee on Solana. However, it requires a full Solana private key (SOLANA_PRIVATE_KEY) which would allow any code in the SDK to spend funds from that wallet. Before installing or providing a private key:
- Do NOT supply your primary/high-value wallet private key. Use a dedicated wallet funded only with the small amount you are willing to risk for simulations.
- Verify the treasury address (TREASURY_WALLET) and API endpoints (api.edgebets.fun) on the project’s official pages and, if possible, on-chain transaction history to confirm expected behavior.
- Note metadata inconsistencies: the package/README sometimes show a different price ($0.50) than SKILL.md ($1.00) and registry metadata does not mark a primary credential — these are signs of sloppy maintenance. Ask the author or check the project's repository for clarifications.
- Inspect or run the SDK in a controlled environment (isolated Node process, limited wallet) before granting it long-term access.
If you need help validating the treasury address, confirming the on-chain payment flow, or running the SDK safely with a disposable key, I can help step through those checks.Like a lobster shell, security has layers — review code before you run it.
latestvk97ddam3t5vb519absm7v5rnv983xtk2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvSOLANA_PRIVATE_KEY