Openclaw Fomo3d
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is a blockchain gambling/trading CLI that requires a raw BSC private key and can approve and spend tokens on-chain, so it needs careful review before use.
Treat this as a high-risk financial/gambling integration rather than a normal utility. If you use it, create a separate BSC wallet with only funds you are prepared to lose, start on testnet, require manual confirmation for every transaction, check token allowances and contract addresses, and avoid storing or entering your main private key.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If this key belongs to a funded wallet, commands run through the skill can move or commit assets in irreversible blockchain transactions.
A raw blockchain private key gives signing authority over wallet funds and the setup flow persists that configuration; the artifacts do not state encryption, spend limits, or wallet-confirmation protections.
A private key is required... prompts for: BSC private key (for signing transactions)... Saves to `config.json`.
Use only a dedicated low-balance wallet, prefer testnet first, and do not provide a main wallet private key.
A mistaken or over-broad agent invocation could approve token spending, buy or sell tokens, deposit funds, or place slot bets without an additional manual approval step.
Automatic token approval and transaction commands are purpose-aligned for this game, but they are high-impact and the artifacts do not show explicit confirmation, spending caps, or bounded approval amounts before on-chain actions.
The CLI automatically checks ERC20 token allowance and approves if needed before `purchase`, `buy`, `sell`, `slot spin`, and `slot deposit`. No manual approval step required.
Require explicit user approval for every transaction, set small amounts, verify contract addresses and allowances, and revoke unused token approvals after use.
It may be harder to confirm that the reviewed code exactly matches the published skill version before trusting it with a private key.
The package version differs from the registry/SKILL.md version 1.2.0, and the skill relies on npm-installed Node dependencies. This is not malicious by itself, but it is a provenance detail users should notice for a wallet-signing skill.
"version": "0.1.0" ... "dependencies": { "tsx": "^4.19.2", "viem": "^2.21.0" }Install only from a trusted source, verify the package contents and lockfile, and resolve the version mismatch before using a funded wallet.