THE FLIP
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: the-flip Version: 1.0.8 The skill bundle is benign. It implements a Solana devnet game, 'THE FLIP', with clear instructions and code. High-risk capabilities like reading wallet files (`~/.config/solana/id.json` in `app/demo.mjs`) and using `curl | sh` for Solana CLI installation (in `SKILL.md`) are standard practices for Solana development and are used for their stated, legitimate purposes without any indication of malicious intent, data exfiltration, or prompt injection attempts against the agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, the skill can use your Solana keypair to sign devnet transactions and spend devnet USDC/SOL fees; using a wallet that also holds mainnet value would be unnecessarily risky.
The script reads a local Solana private key from an env-selected path or the default wallet path, while the skill metadata declares no credential or config-path requirement.
const raw = JSON.parse(fs.readFileSync(keyPath || process.env.ANCHOR_WALLET || path.join(process.env.HOME, '.config', 'solana', 'id.json'), 'utf8')); return Keypair.fromSecretKey(Uint8Array.from(raw));
Use a dedicated throwaway devnet wallet, pass the keypair path explicitly, and do not let the agent run transaction commands without your confirmation. The publisher should declare ANCHOR_WALLET/default wallet access and avoid loading a private key for read-only commands.
An agent running these commands can enter the game, trigger a flip, or claim using the loaded wallet, which may spend tokens or fees on devnet.
The skill exposes commands that submit on-chain game transactions and mutate game state; this is purpose-aligned and disclosed, but should remain user-approved.
node app/demo.mjs enter HHTHHTTHHTHHTHHTHHTH ... Cost: 1 USDC ... node app/demo.mjs flip ... Permissionless — anyone can call.
Require explicit user approval before enter, flip, claim, withdraw-fees, init, or close-game-v1 actions.
Running the setup executes third-party installation code on your machine.
Setup relies on npm package installation and an optional remote shell installer for Solana tooling; this is user-directed setup, but the remote installer is not pinned in the instructions.
cd the-flip && npm install ... sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)"
Inspect the installer source, prefer official package manager instructions where possible, and run setup in a constrained environment.