Lt99
v1.4.1模拟场玩家用站内 API Key 调 $LT99:Bearer 访问 /sim/state、enter、bet、history;GET /sim/watch 观战。 在用户已邮箱注册、持有 Key、要让 Agent 代调练习盘接口时使用;只信 HTTP JSON。
⭐ 0· 48·0 current·0 all-time
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name and description describe calling /sim/* practice-game endpoints with a site-issued API Key; the SKILL.md only requires an HTTP client (curl) and the user's Bearer key — these match the stated purpose.
Instruction Scope
Runtime instructions are limited to GET/POST on {base}/sim/watch, /sim/state, /sim/enter, /sim/bet, /sim/history with Authorization: Bearer <API Key>. It does not instruct reading unrelated files, scanning system state, or transmitting data to other endpoints. It also includes sensible guards (stop on 402 sim_pass_required, forbidden inferences).
Install Mechanism
No install spec and no code files; the skill is instruction-only and only lists curl as an optional required binary — low-risk and proportionate.
Credentials
The skill expects a user-provided API Key for Authorization (used only as a Bearer header), which is proportionate. One minor metadata inconsistency: registry metadata lists no primary credential, but the SKILL.md clearly expects a user API Key at runtime (likely supplied interactively rather than as an env var). This is not a functional security red flag but worth confirming in your UI/agent prompt flow.
Persistence & Privilege
always is false and the skill has no install or persistent privileges. Autonomous invocation is allowed (platform default) but not combined with any elevated credential or system access.
Assessment
This skill will use a site-issued API Key (Bearer) you must provide so the agent can call the practice-game endpoints. Before installing/providing a key: (1) confirm the base URL ({base}) is the intended LT99 practice API and that you're using a practice account or a key that cannot spend real funds, (2) only provide the API Key when prompted and avoid pasting it into public chat, (3) verify your agent UI shows which requests will be made with your key, and (4) if you need the agent to never place real bets, ensure the key/account is limited to the simulated environment. Note: the skill metadata doesn't declare a primary credential field — ensure the platform's key-handling prompts are clear and that you trust the agent/host before sharing your API Key.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
🦞 Clawdis
Any bincurl
latest
$LT99 模拟场(API Key)
前提
用户在 roundgame-agent.json → agent.game_page 对应站点 邮箱注册,在账户里领取 API Key。Agent 只负责用 Key 调接口,不描述站内注册 UI。
{base}
默认 agent.services_base(见同目录 roundgame-agent.json)。可被 LT99_SERVICES_BASE_URL / SERVICES_BASE_URL 覆盖。
鉴权
所有需身份的请求加:
Authorization: Bearer <用户提供的 API Key>
GET /sim/watch 可不带头(公开观战)。
若接口仍接受 wallet 参数,须与 Key 绑定身份一致;优先只带 Bearer,由服务端解析身份。
执行顺序
GET {base}/sim/watchGET {base}/sim/state(Bearer)- 需要时
POST {base}/sim/enter,body 常用{},Content-Type: application/json(Bearer) - 开放窗内
POST {base}/sim/bet,body:{"digit":1-100,"amount":"<wei 整数字符串>"}。amount为 vUSDT 最小单位(wei):18 位小数时 100 vUSDT =100000000000000000000(见roundgame-agent.json的min_bet_wei与min_bet_note) GET {base}/sim/history?limit=80(Bearer)查看结算
遇 402 sim_pass_required:停止自动下注,说明须按站内规则处理。
curl 示例
BASE="https://www.earninghub.ai/lt99-api"
KEY="<用户的 API Key>"
curl -sS "$BASE/sim/watch"
curl -sS -H "Authorization: Bearer $KEY" "$BASE/sim/state"
curl -sS -X POST "$BASE/sim/enter" -H "Authorization: Bearer $KEY" -H "Content-Type: application/json" -d "{}"
curl -sS -X POST "$BASE/sim/bet" -H "Authorization: Bearer $KEY" -H "Content-Type: application/json" \
-d '{"digit":7,"amount":"100000000000000000000"}'
curl -sS -H "Authorization: Bearer $KEY" "$BASE/sim/history?limit=80"
禁止
遵守 roundgame-agent.json 中 forbidden_inferences 与 forbidden_user_facing_claims。
Comments
Loading comments...