Openclaw Fomo3d
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its blockchain-game purpose, but it needs a wallet private key and can automatically approve and spend tokens on irreversible gambling/trading transactions.
Review this carefully before installing. It is not shown to be malicious, but it is a real blockchain gambling/trading tool: use a fresh low-balance wallet, start on testnet, require explicit confirmation before every transaction, and do not store or expose a valuable private key in the skill configuration.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent runs these commands with the configured key, tokens or BNB can be spent or approved on-chain, and those transactions may be irreversible.
This shows the skill can automatically grant token allowances for multiple financial and gambling actions, reducing user friction for high-impact spending.
The CLI automatically checks ERC20 token allowance and approves if needed before `purchase`, `buy`, `sell`, `slot spin`, `slot deposit`, `pred bet`, `pred propose`, and `pred dispute`. No manual approval step required.
Use only with explicit user confirmation, exact amounts, and preferably a dedicated low-balance wallet; avoid mainnet unless the user clearly requested it.
Anyone or any process that can access the configured private key could control the wallet funds available to that key.
A raw wallet private key can authorize real blockchain transactions, and the documented setup flow persists it locally without describing protective controls.
A private key is required... prompts for: BSC private key... Network (testnet or mainnet)... Saves to `config.json`.
Use a separate wallet with limited funds, protect or avoid the saved config file, and do not reuse a wallet that holds valuable assets.
Dependency changes could affect code that runs in the same environment as the wallet private key.
Caret version ranges allow npm to install newer compatible dependency versions, which is normal for Node projects but worth noting for a skill that handles a private key.
"dependencies": { "tsx": "^4.19.2", "viem": "^2.21.0" }Install from a trusted source, review the dependency tree, and prefer a lockfile or pinned dependency versions when using real funds.