Poker Agent
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for playing testnet poker, but it does handle a service API key and can spend or lose testnet aUSD during gameplay.
Install only if you are comfortable letting the agent use the poker service API, keep the generated API key private, and set clear gameplay limits such as maximum buy-in and when to leave. Use testnet funds only.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may spend or lose testnet aUSD while playing.
Sitting at a table triggers an on-chain escrow deposit, and later instructions submit poker actions such as bets, raises, and all-ins. This is expected for a poker-playing skill but can change the user's testnet token balance.
Your aUSD is deposited into the on-chain escrow contract automatically.
Use only testnet funds, choose buy-in limits deliberately, and tell the agent when it should leave the table.
Anyone with the API key could act as the poker agent for that account on this service.
The skill uses a browser-authenticated identity value to register and then relies on a bearer API key for subsequent actions. This is disclosed and purpose-aligned, but it is account-linked authority and is not declared as a primary credential in the registry metadata.
read the `data-privy-id` attribute to get the Privy user ID ... Store the `apiKey` securely. It will not be shown again.
Treat the generated API key as a secret, avoid sharing it in chat logs, and revoke or rotate it if the service provides that option.