Openclaw Fomo3d
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Review before installing: this skill asks for a BNB Chain wallet private key and can automatically approve and spend tokens in blockchain games, trades, and prediction markets.
Only install this if you intentionally want an agent-accessible CLI for BSC gambling/trading. Use a fresh low-balance wallet, start on testnet, verify the source and contract addresses, inspect each command before execution, and do not store or provide a private key for any wallet you cannot afford to lose.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the configured key belongs to a wallet with valuable assets, any mistaken, compromised, or overly broad use of the skill could spend funds or expose the wallet through the saved config.
The skill requires a raw wallet private key and documents persisting it locally, which gives the CLI authority to sign transactions from that wallet.
A private key is required... prompts for: - BSC private key (for signing transactions) - Network (testnet or mainnet) - Optional custom RPC URL ...Saves to `config.json`.
Use a dedicated low-balance game wallet, prefer testnet first, avoid using a primary wallet key, protect or avoid persistent config files, and delete/rotate the key if the config is exposed.
The agent could approve token spending and submit trades, bets, spins, deposits, or disputes that cost BNB/tokens; on-chain actions are generally irreversible.
Automatic token approvals before financial/gambling actions remove a separate user review step for high-impact, irreversible blockchain operations.
The CLI automatically checks ERC20 token allowance and approves if needed before `purchase`, `buy`, `sell`, `slot spin`, `slot deposit`, `pred bet`, `pred propose`, and `pred dispute`. No manual approval step required.
Before any mainnet action, require explicit user confirmation of network, contract/spender, token, allowance, amount, gas cost, and expected effect; use exact approvals rather than broad allowances where possible.
A compromised or unexpectedly changed dependency could affect a tool that handles a wallet private key and signs transactions.
The Node CLI depends on npm packages with semver ranges; this is normal for the stated purpose but means installation/runtime behavior depends on the npm supply chain.
"dependencies": {
"tsx": "^4.19.2",
"viem": "^2.21.0"
}Install only from a trusted source, review the package/lockfile when available, pin dependencies for production use, and avoid running it with a valuable wallet key.