Fortuna Lottery
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent is allowed to run this transfer path, real SOL can be irreversibly spent on lottery tickets.
The fallback tool converts a command-line amount into an on-chain SOL transfer to a hardcoded treasury and sends it directly. The reviewed source shows no interactive confirmation, spend ceiling, or reversible approval step.
TREASURY = "BzHharnq5sa7TUWPSG1TysjwxuBVJchoU8CGRDmbLcfW" ... amount_sol = float(sys.argv[1]) ... resp = client.send_transaction(txn, sender)
Require explicit user confirmation before every transfer, add a maximum spend per round/session, and use a wallet flow that surfaces the recipient and amount before signing.
Using a main wallet key would expose broad signing authority to the agent runtime and could lead to unintended loss of funds if misused.
The fallback reads a raw Solana private key and uses it as the signing key. Although disclosed and purpose-aligned, a raw private key is not scoped to lottery spending and can authorize any transaction from that wallet.
private_key = os.environ.get("SOLANA_PRIVATE_KEY") ... sender = Keypair.from_base58_string(private_key)Do not use a main wallet private key. Prefer a wallet/MCP integration with approval prompts, or use a dedicated wallet with only the amount you are willing to lose.
A user running the fallback may install whatever current versions of these packages are resolved by pip.
The optional fallback depends on unpinned package names installed at runtime. This is expected for the fallback script, but package versions and provenance are not locked in the artifacts.
Runtime packages required for fallback: `pip install solana solders`
Install dependencies in an isolated environment and prefer pinned, reviewed package versions before using the private-key fallback.