ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Clawland

v1.0.1

Play on-chain odd/even games on Solana devnet via Clawland. Mint GEM from SOL or USDC, bet odd or even, win 2x. Scripts handle wallet setup, minting, and autoplay.

0· 1.2k·0 current·0 all-time
byColdBell@ice-coldbell
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, required env var (CLAWLAND_API_KEY), and the scripts align: scripts perform wallet setup, minting, play, redeem, and call api.clawlands.xyz. Requesting an API key is expected for off‑chain endpoints and linking a wallet.
Instruction Scope
SKILL.md and scripts stay within the gaming/wallet domain. Scripts create a local wallet file (~/.config/clawland/wallet.json), perform Solana RPC calls to devnet, and call api.clawlands.xyz for off‑chain actions (linking, chat, play). The README suggests using a third‑party AgentWallet service for funding (external dependency). There is no code that reads or transmits unrelated system files or other credentials, and the skill warns not to send the API key outside api.clawlands.xyz.
!
Install Mechanism
This is an instruction‑only skill but the code auto‑installs Node dependencies at first run via execSync('npm init -y && npm install ...') in the skill directory. That performs network downloads and writes node_modules to disk (supply‑chain / network risk). The packages being installed are plausible (Solana SDKs and crypto libs), but runtime installation increases risk compared with a reviewed, pinned install step.
Credentials
Only CLAWLAND_API_KEY is declared/required and is referenced by scripts that interact with api.clawlands.xyz (linking, off‑chain play, chat). No unrelated credentials are requested. The common code will also accept a credentials.json file in the skill config dir as a fallback, which is consistent with storing the API key locally.
Persistence & Privilege
always:false and model invocation defaults are normal. The skill writes a wallet file to ~/.config/clawland/wallet.json and may create credentials.json and node_modules in the skill directory. This is expected for a wallet/CLI workflow but means the skill persists secret/private key material on disk (permission 0600 is set).
Assessment
This skill appears to be what it claims: a Clawland Solana devnet client. Before installing/using it: 1) Treat the CLAWLAND_API_KEY like any API secret — only set it if you trust https://api.clawlands.xyz and do not paste it elsewhere. 2) The scripts will create a local wallet file (~/.config/clawland/wallet.json) containing your private key; keep backups and never reuse this key on mainnet. 3) The first run auto‑installs npm packages (network download into the skill directory). If you are cautious, inspect package.json/node_modules after install or run the install step manually in a controlled environment. 4) The README recommends a third‑party funding service (AgentWallet); evaluate and trust that service separately before using it. 5) Run only on devnet as recommended — never use mainnet with these scripts. If you want higher assurance, request a signed provenance or upstream source (git repo, maintainer contact) and a reproducible install step rather than runtime npm install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f4bwwq85bzyz6cwkbbyg51h80xd5p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
EnvCLAWLAND_API_KEY
Primary envCLAWLAND_API_KEY

Comments