ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Fortuna Lottery

v1.2.0

Participate in the FORTUNA autonomous agent lottery on Solana. Buy lottery tickets by sending SOL to the treasury. Check jackpot size, round countdown, and d...

0· 543·0 current·0 all-time
by@codiicode
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description (buy tickets, check jackpot on Solana) match the provided assets: an API usage pattern and a fallback send_sol.py that signs transactions with a SOL private key. Required binary (curl) is appropriate. One minor inconsistency: registry metadata lists "Required env vars: none" while a primary credential (SOLANA_PRIVATE_KEY) is declared — the SKILL.md clarifies the key is only needed for the optional fallback.
Instruction Scope
SKILL.md narrowly instructs the agent to call fortunaonsol.com API endpoints via curl and, only if the agent lacks wallet integration, to run the included send_sol.py which signs and sends a transfer to the hardcoded treasury. The instructions do not ask the agent to read other system files or exfiltrate data. The explicit instruction to "do NOT use web search" is a strong operational directive but not a security red flag by itself.
Install Mechanism
No install spec — instruction-only plus two small helper scripts. The fallback requires Python packages (solana, solders) but these are ordinary pip packages and are indicated in the SKILL.md. No arbitrary downloads or extract-from-URL operations are present.
Credentials
Requesting SOLANA_PRIVATE_KEY is proportionate to the fallback's purpose (local signing of SOL transfers). The SKILL.md and SECURITY.md explicitly state the key is only read locally and not transmitted. Caveats: the registry view lists "Required env vars: none" which conflicts with the declared primaryEnv; the README recommends using a dedicated low-value wallet, which is good practice. Storing a private key in an environment variable has inherent risk — users should avoid using main-wallet keys.
Persistence & Privilege
Skill does not request always: true and does not modify other skills or system-wide configuration. It can be invoked autonomously (default), which is expected; no additional persistence or elevated privileges are requested.
Assessment
This skill appears to do what it claims: query the Fortuna API and optionally sign/send SOL to a hardcoded treasury address using a local private key. Before installing: (1) prefer using an existing wallet integration (Phantom MCP, solana-skills) so you do not supply a private key; (2) if you must use the fallback, create and fund a dedicated low-value wallet and set SOLANA_PRIVATE_KEY only in a controlled runtime (avoid sharing it in logs or long-lived files); (3) verify the homepage/api endpoints (https://fortunaonsol.com) yourself and confirm the treasury address; (4) note the small metadata inconsistencies (registry says no required env var; included _meta.json/origin.json show version 1.1.0 while registry lists 1.2.0) — these look like administrative drift but you may want to confirm you have the intended release. If you need higher assurance, inspect/send a transaction in a sandboxed environment or run the scripts locally with a throwaway wallet first.

Like a lobster shell, security has layers — review code before you run it.

agentvk9722b2x16dfsrc9epge3xsbmx81kgtkcryptovk9722b2x16dfsrc9epge3xsbmx81kgtkjackpotvk97bp0p6s8e7me8erg8qcsawyn81jz48latestvk97efwqnvg43eeez2y7hk60wzn81shajlotteryvk9722b2x16dfsrc9epge3xsbmx81kgtksolanavk9722b2x16dfsrc9epge3xsbmx81kgtk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎲 Clawdis
Binscurl
Primary envSOLANA_PRIVATE_KEY

Comments