ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Openclaw Fomo3d

v1.3.1

Play Fomo3D, Slot Machine, and Prediction Market on BNB Chain (BSC). Fomo3D is a blockchain game where players buy shares using tokens — the last buyer befor...

0· 287·0 current·0 all-time
byEren@erenvance
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (Fomo3D game, slots, prediction markets) align with the included code: many CLI commands, ABIs, and blockchain client code are present. Requesting a BSC private key is expected for signing game/trading transactions.
!
Instruction Scope
SKILL.md instructs interactive setup that asks for and stores a private key (writes config.json), runs transactions (buy/sell/approve/spin/claim/settle), and auto-approves ERC20 allowances. The doc also references additional environment variables (FOMO3D_NETWORK, FOMO3D_RPC_URL, FOMO3D_FLAP_TOKEN) that are not listed in requires.env; while optional, SKILL.md uses them at runtime. Storing a private key on disk and automatic approval behavior increases risk if the code or environment is compromised.
!
Install Mechanism
Registry metadata shows no formal install spec, yet the repo contains package.json and many source files and SKILL.md instructs running `npm install` and executing the CLI. That means code and npm dependencies will be fetched and executed on the user's machine (dependencies: tsx, viem). The lack of an explicit install spec in the registry is inconsistent with the included code and increases operational ambiguity.
Credentials
The skill requires a single high‑sensitivity credential (FOMO3D_PRIVATE_KEY) which is proportionate to a CLI that signs blockchain transactions. Optional env vars are referenced in the docs but not declared as required. Because the private key grants full control of the wallet, this is a sensitive privilege—expected for the task but dangerous if misused.
Persistence & Privilege
always is false and the skill does not request system-wide privileges. It will write its own config.json and may store the provided private key there if the user runs setup—this is normal for CLI wallet tooling but should be considered a sensitive local persistence.
What to consider before installing
This skill is a CLI wallet that will sign real BNB Chain transactions, so supplying your private key lets it move funds and approve token allowances. Before installing: (1) inspect the repository code yourself (or have a trusted auditor do so), especially any code paths that auto-approve tokens or save keys; (2) do not use your main wallet private key—use a throwaway or limited‑fund account; (3) run npm install in an isolated environment (container/VM) if you want to test; (4) verify RPC endpoints and contract addresses (a malicious RPC or contract can trick you into signing harmful txs); (5) consider setting FOMO3D_RPC_URL to a trusted node and avoid saving keys on disk—if you must, secure the config file and remove keys after use. The registry metadata lacks an explicit install spec despite shipping many source files—treat that discrepancy as a reason to review the code before granting any credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dq7grvz5g15dbpsm2dh7x0582krqg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎰 Clawdis
Binsnode
EnvFOMO3D_PRIVATE_KEY
Primary envFOMO3D_PRIVATE_KEY

Comments