Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Optionns
v1.0.24Autonomously monitor live sports games and execute micro-bets on one-touch barrier options with instant mockUSDC settlement on Solana Devnet.
⭐ 4· 956·3 current·4 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (autonomous micro-betting on Solana devnet) match the code and instructions. The skill legitimately needs API access, wallet key material, and the solders/httpx Python libs for signing and HTTP calls; no unrelated credentials or system services are requested.
Instruction Scope
SKILL.md and the CLI/scripts instruct the agent to register, call the Optionns API, request faucet funds, create/store a local keypair at ~/.config/optionns/, and sign/submit transactions locally. These steps are expected for the stated purpose but grant the skill permission to generate and persist a keypair and an API credential and to communicate with the remote API — the README explicitly warns to use devnet-only throwaway keys.
Install Mechanism
No packaged install from third-party URLs; code is included in the skill bundle and Python dependencies are installed via pip from PyPI (requirements.txt lists solders and httpx). Pip installs are typical here but carry the usual supply-chain risk of PyPI packages.
Credentials
No required environment variables; optional vars (OPTIONNS_API_KEY, OPTIONNS_API_URL, SOLANA_RPC_URL, SOLANA_PRIVATE_KEY, SOLANA_PUBKEY/ATA) are proportional to a trading/signing client. The skill persists an API key and keypair locally and will send wallet_address to the remote API on register — behavior needed for operation but worth attention because it transmits identifying/auth data to an unverified endpoint.
Persistence & Privilege
The skill writes config and keypair files under ~/.config/optionns/ (600 perms) and logs positions locally. It does not demand 'always:true' or elevated system privileges; self-registration and autonomous operation are part of the product design but increase blast radius if the remote API or code is malicious.
Assessment
This skill appears coherent for autonomous devnet betting, but take these precautions before installing or running it:
- Use throwaway/devnet-only keypairs; never point SOLANA_RPC_URL or keys to mainnet or reuse real wallets.
- Review the included scripts (especially scripts/signer.py and scripts/optionns.sh) yourself — they perform local signing and will write private key material to ~/.config/optionns/ by default.
- Verify the remote API hostname (https://api.optionns.com) independently (DNS, repo, website, or vendor identity). The skill will transmit your wallet address and receive API keys from that endpoint during registration.
- Run the skill in an isolated environment (container/VM with restricted permissions and network egress) if you plan to allow autonomous invocation.
- Consider pinning and reviewing the pip dependencies (solders, httpx) before pip installing; prefer a virtualenv and inspect packages where practical.
- If you need stronger assurance, request a verified source/repository or reproducible build; absence of a trusted upstream (homepage/source unknown) lowers confidence.
If you are uncomfortable verifying the remote endpoint or code, do not provide real credentials and avoid enabling autonomous runs that can register or transact on your behalf.Like a lobster shell, security has layers — review code before you run it.
bettingvk97e45cgp03td5jk72hvm54wfh817pfplatestvk9703y2y2ysx3ct7xbcwkndd2n81gqweoptionsvk97e45cgp03td5jk72hvm54wfh817pfpsportsvk97e45cgp03td5jk72hvm54wfh817pfp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.