Openclaw Fomo3d
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openclaw-fomo3d Version: 1.3.1 The skill bundle provides a comprehensive CLI for interacting with Fomo3D gaming and prediction market contracts on the BNB Chain. It uses the 'viem' library for local transaction signing and correctly manages sensitive data by reading the private key from environment variables or a local config file without evidence of exfiltration. While the trading logic in 'buy.ts' and 'sell.ts' lacks slippage protection (setting minOutputAmount to 0), this risk is explicitly documented in 'SKILL.md' as a known limitation for users to consider.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent runs these commands with the configured key, tokens or BNB can be spent or approved on-chain, and those transactions may be irreversible.
This shows the skill can automatically grant token allowances for multiple financial and gambling actions, reducing user friction for high-impact spending.
The CLI automatically checks ERC20 token allowance and approves if needed before `purchase`, `buy`, `sell`, `slot spin`, `slot deposit`, `pred bet`, `pred propose`, and `pred dispute`. No manual approval step required.
Use only with explicit user confirmation, exact amounts, and preferably a dedicated low-balance wallet; avoid mainnet unless the user clearly requested it.
Anyone or any process that can access the configured private key could control the wallet funds available to that key.
A raw wallet private key can authorize real blockchain transactions, and the documented setup flow persists it locally without describing protective controls.
A private key is required... prompts for: BSC private key... Network (testnet or mainnet)... Saves to `config.json`.
Use a separate wallet with limited funds, protect or avoid the saved config file, and do not reuse a wallet that holds valuable assets.
Dependency changes could affect code that runs in the same environment as the wallet private key.
Caret version ranges allow npm to install newer compatible dependency versions, which is normal for Node projects but worth noting for a skill that handles a private key.
"dependencies": { "tsx": "^4.19.2", "viem": "^2.21.0" }Install from a trusted source, review the dependency tree, and prefer a lockfile or pinned dependency versions when using real funds.