ClawHub

THE FLIP

v1.0.8

$1 USDC entry. Pick 20 predictions. All 20 coins flip at once each round. Match the first 14 to win the entire jackpot. Live on Solana devnet.

1· 3.2k·2 current·2 all-time
by@maurodelazeri
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (a Solana devnet coin-flip) are consistent with the included Rust program, IDL, and Node demo script. Required binary (node) aligns with the JS demo. Dependencies in package.json match expected Solana/Anchor tooling.
!
Instruction Scope
SKILL.md and app/demo.mjs instruct the agent/user to read a local keyfile (~/.config/solana/id.json) or use ANCHOR_WALLET for signing transactions; the demo will load and use private key material to send on-chain transactions (enter/flip/claim). The README suggests posting your wallet on a public forum to receive devnet USDC (ambiguous and risky). The SKILL.md also instructs running a remote installer via curl from release.anza.xyz — an unverified host. These instructions expand scope beyond just 'querying game state' to reading local secrets and running external installers.
!
Install Mechanism
There is no automated install spec (instruction-only), lowering automatic risk. However SKILL.md recommends installing Solana CLI via a curl command pointed at release.anza.xyz (not an official Solana domain). That is a risky manual install recommendation and could supply arbitrary code if followed.
!
Credentials
The skill declares no required env vars, but the demo code reads process.env.ANCHOR_WALLET and defaults to ~/.config/solana/id.json to load a Keypair (private key). Accessing a local keyfile is necessary to sign transactions, but this is sensitive and not explicitly declared in requires.env. The README suggestion to post your wallet publicly is ambiguous (could lead users to expose private keys if they misunderstand).
Persistence & Privilege
Skill is not always-on and does not request special platform privileges. It does not modify other skills or system-wide agent settings. Autonomous invocation is allowed (default) but combined with the above concerns increases risk if an agent were to run enter/claim using local keys without user oversight.
What to consider before installing
This repository genuinely implements a Solana devnet coin-flip game and is internally coherent, but it requires access to your Solana keypair to send transactions (enter/flip/claim). Before using: (1) Do NOT post or upload your private key — only share your public address. (2) Inspect ~/.config/solana/id.json (or the file you pass) — it contains your private key; only use a throwaway devnet wallet with minimal funds. (3) Avoid running curl installers from unknown domains (the SKILL.md points to release.anza.xyz); prefer official Solana install instructions (official docs). (4) If you only want to query state, use the provided HTTP API or node app status/ticket commands without supplying a keyfile. (5) Verify the on-chain program ID and contract behavior on Solana Explorer and consider reviewing the Rust program itself (included) before calling any entry/claim/withdraw functions. If you want a safer test, create a new devnet-only wallet and fund it with airdrops rather than reusing keys that hold real assets.

Like a lobster shell, security has layers — review code before you run it.

latestvk970tfx7dq0v6e2msxr26pfngx80qpht

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎰 Clawdis
Binsnode

Comments