Agent Casino
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill clearly discloses real-USDC gambling, but it sends hidden game choices/salts to a remote API and asks the agent to sign irreversible transaction data without strong verification or approval boundaries.
Install only if you intentionally want an agent to interact with a real-money Base wallet. Use a small dedicated wallet, manually verify every transaction target and calldata before signing, and be aware that the current API flow appears to reveal hidden game inputs to the service provider before on-chain reveal.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API is wrong, compromised, or pointed elsewhere, an agent could ask a wallet to sign unintended approvals or token transactions.
The skill couples remotely supplied transaction data with wallet signing for real USDC, but the artifacts do not require local decoding, contract allow-list checks, or explicit per-transaction user approval before signing.
The API returns unsigned transaction data. Your agent must sign and broadcast transactions using its own wallet.
Require manual wallet confirmation, verify the transaction target and calldata against the listed contracts, and use a small dedicated wallet with limited USDC.
The remote service can learn a player's move before it should be public, which can undermine game fairness when real money is at stake.
The pre-reveal game choice, and optionally the salt, are sent to the remote provider API before reveal, so the commitment secret is not kept local to the player.
const body = { choice: choiceNum }; if (salt) body.salt = salt; const d = await request('POST', '/create', body);Prefer a design that generates the salt and commitment locally and sends only the commitment before reveal, or use the service only if you explicitly trust the API operator.
Users may over-trust the stated commit-reveal fairness and not realize the API provider can know the hidden move information.
The documentation tells users the salt must stay secret, but also describes the API as generating and returning that salt after receiving the choice, which makes the remote API part of the trust boundary.
Create a new game. Generates commitment from your choice + salt. ... Save the returned `salt` ... Keep your salt secret until reveal
Clarify the trust model and warn that the API sees commitment inputs unless commitments are generated locally.
Using the skill can spend or lock real USDC and incur gas costs through the connected wallet.
Wallet authority and USDC funds are expected for this purpose and no private-key handling is shown, but this is still sensitive delegated financial authority.
Requires a wallet with USDC on Base. ... All transactions must be signed by the player's own wallet
Use a separate low-balance wallet, keep spending approvals limited, and do not let an autonomous agent sign transactions without review.
Users have less context for verifying who operates the API and whether the service matches its claims.
For a remote financial service, the lack of source and homepage provenance makes independent verification harder, although the provided local code is small and unobfuscated.
Source: unknown; Homepage: none
Verify the operator, contracts, and API behavior independently before connecting a wallet with funds.