Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Sdk
v1.0.2AI-powered sports betting simulations with Monte Carlo analysis
⭐ 0· 41·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is an SDK that runs paid Monte Carlo simulations and performs on-chain payments via Solana. Requiring Node and a Solana private key is coherent with the stated purpose (it needs a wallet to pay $0.50 USDC per simulation). The codebase contains expected services (games, payment, simulation, picks) and constants for the API and treasury address.
Instruction Scope
SKILL.md explicitly instructs using process.env.SOLANA_PRIVATE_KEY to construct the client and to fund simulations; the instructions and included code reference api.edgebets.fun endpoints and the x402 payment flow only. There are no obvious instructions to read unrelated system files or to exfiltrate arbitrary data. However the SKILL.md and package README both instruct the agent (or developer) to provide the wallet secret in environment or file form — that grants the skill full control of that wallet.
Install Mechanism
There is no external install script that downloads arbitrary binaries or runs remote installers. The package contains source and a built dist/ bundle and would be installed via npm (edgebets-sdk). No network downloads from untrusted shorteners or extract/install steps are present in the skill metadata.
Credentials
The skill requires a single environment variable: SOLANA_PRIVATE_KEY. This is proportionate to performing on-chain payments, but a private key is extremely sensitive. Supplying it to the agent or storing it in an environment variable gives the SDK (and anything that can use the SDK) the ability to sign and submit arbitrary Solana transactions. The skill also includes a hard-coded treasury wallet address for payments — users should verify that address before sending funds.
Persistence & Privilege
The skill does not request 'always: true' and does not declare system config paths or other skills' credentials. It operates when invoked and does not assert permanent elevated presence in the agent.
What to consider before installing
This package appears to be a legitimate SDK for paid sports-simulation calls that uses Solana payments, and the code shows local transaction signing and API polling — which is expected. However: 1) Do NOT provide your main Solana private key to the agent. A private key in an environment variable gives full control of that wallet (ability to transfer funds). 2) Verify the package source and integrity (npm page, repository, checksums). The skill metadata here shows 'Source: unknown' even though package.json references edgebets.fun and a GitHub URL — confirm those links and check the upstream repo history and npm publisher. 3) Test with a throwaway wallet containing minimal funds (e.g., only enough USDC/SOL to run a single simulation) before using any real funds. 4) Prefer using a signing wallet adapter (wallet adapter or hardware wallet) that never exposes the raw secret to the runtime, or create a dedicated wallet with limited balance. 5) Verify the TREASURY_WALLET address and endpoints (api.edgebets.fun) independently. 6) If you need higher assurance, review the full payment-related code paths (payment.ts/simulation.ts) to confirm no network calls leak secret material and to confirm signature/proof flow is local. If you cannot verify the source, treat this skill as risky for holding any non-trivial funds.Like a lobster shell, security has layers — review code before you run it.
latestvk979bn43gszfqtdx0qnv38awyd83x61d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode
EnvSOLANA_PRIVATE_KEY