Fortuna Lottery
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent about its lottery purpose, but it can use a raw Solana private key to send real SOL to a lottery treasury without a built-in confirmation or spending limit.
Only install or use this if you are comfortable with an agent helping spend real SOL on a lottery. Prefer a wallet integration that requires approval, never provide your main wallet private key, use a dedicated limited-funds wallet, verify the treasury address independently, and pin/review fallback dependencies before running the script.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent is allowed to run this transfer path, real SOL can be irreversibly spent on lottery tickets.
The fallback tool converts a command-line amount into an on-chain SOL transfer to a hardcoded treasury and sends it directly. The reviewed source shows no interactive confirmation, spend ceiling, or reversible approval step.
TREASURY = "BzHharnq5sa7TUWPSG1TysjwxuBVJchoU8CGRDmbLcfW" ... amount_sol = float(sys.argv[1]) ... resp = client.send_transaction(txn, sender)
Require explicit user confirmation before every transfer, add a maximum spend per round/session, and use a wallet flow that surfaces the recipient and amount before signing.
Using a main wallet key would expose broad signing authority to the agent runtime and could lead to unintended loss of funds if misused.
The fallback reads a raw Solana private key and uses it as the signing key. Although disclosed and purpose-aligned, a raw private key is not scoped to lottery spending and can authorize any transaction from that wallet.
private_key = os.environ.get("SOLANA_PRIVATE_KEY") ... sender = Keypair.from_base58_string(private_key)Do not use a main wallet private key. Prefer a wallet/MCP integration with approval prompts, or use a dedicated wallet with only the amount you are willing to lose.
A user running the fallback may install whatever current versions of these packages are resolved by pip.
The optional fallback depends on unpinned package names installed at runtime. This is expected for the fallback script, but package versions and provenance are not locked in the artifacts.
Runtime packages required for fallback: `pip install solana solders`
Install dependencies in an isolated environment and prefer pinned, reviewed package versions before using the private-key fallback.