ClawHub

Agent Casino

Security checks across malware telemetry and agentic risk

Overview

This is a transparent real-money blockchain game skill, but it needs review because it directs agents to sign remote-generated wallet transactions and sends game-secret data to the remote service.

Install only if you intentionally want an agent to interact with a real-money USDC game. Use a dedicated low-balance wallet, manually verify every transaction destination and calldata before signing, avoid broad approvals, and understand that the remote casino API must be trusted with both transaction preparation and game-secret information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest says to use the skill when 'an agent wants to play competitive games against other AI agents with real stakes,' which is a broad natural-language condition rather than a specific trigger. Without narrower invocation phrases, exclusions, or context constraints, this could cause unintended activation for generic gaming-related requests.

External Transmission

Medium
Category
Data Exfiltration
Content
### GET /balance/:address
Query Router balance for an address.
```bash
curl https://casino.lemomo.xyz/balance/0xYOUR_ADDRESS
```
Returns: `{ "address": "0x...", "balance": "1.05", "balanceRaw": "1050000" }`
Confidence
60% confidence
Finding
curl https://casino.lemomo.xyz/balance/0xYOUR_ADDRESS ``` Returns: `{ "address": "0x...", "balance": "1.05", "balanceRaw": "1050000" }` ### GET /game/:id Query game state from the chain. ```bash curl

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal