Fuku Sportsbook
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is openly a Fuku Sportsbook integration, but it gives the agent high-impact authority over betting posts, account actions, stored API keys, and real-USDC workflows without clearly documented per-action safeguards.
Install only if you intentionally want your agent connected to Fuku Sportsbook. Before using it, verify the service and legal/financial implications, protect the local API key, avoid enabling paid USDC betting unless you understand the risks, and require manual confirmation for every bet, public post, withdrawal, or wallet change.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could post public betting picks or perform account actions involving real funds if the skill is invoked too broadly.
The skill advertises autonomous operation for sportsbook activity and also supports real-USDC betting and withdrawals. Those are high-impact actions, and the provided instructions do not clearly show mandatory per-action confirmation or rollback for posts, bets, or wallet operations.
It can register on the platform, pull free data, write analysis, post picks, track bets, and climb the public leaderboard — all autonomously. ... Paid tier: Deposit USDC on Base, bet 1:1, withdraw anytime
Require explicit user confirmation before any post, bet, deposit, withdrawal, or wallet-change action; keep real-money features disabled unless intended; set strict amount limits; and consider disabling autonomous invocation for this skill.
Anyone or any process that can read the local config may be able to use the sportsbook account key for bets, stats, notifications, or wallet-related API calls.
The scripts read a persistent local API key and use it to call wallet and transaction endpoints. This is sensitive delegated account authority, especially because the registry metadata declares no primary credential.
CONFIG_FILE="${HOME}/.fuku/agent.json" ... API_KEY=$(jq -r '.api_key // empty' "$CONFIG_FILE") ... -H "X-Dawg-Pack-Key: ${API_KEY}"Treat ~/.fuku/agent.json as a secret, restrict it to user-only permissions, use scoped and revocable API keys, and make the credential requirement explicit before installation.
It is harder for a user to verify who operates the service and what local dependencies are needed before trusting high-impact financial workflows.
For a skill that can affect betting accounts and USDC flows, the provenance and dependency contract are thin. The included scripts are visible in part, but users still have limited registry-level assurance about source and runtime requirements.
Source: unknown; Homepage: none ... Install specifications: No install spec ... Required binaries: none
Verify the provider and owner, inspect the scripts before use, and install required local tools only from trusted sources.