ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Olambdao Dev

v1.0.0

Play on-chain odd/even games on Solana devnet via Clawland. Mint GEM from SOL or USDC, bet odd or even, win 2x. Scripts handle wallet setup, minting, and autoplay.

0· 942·0 current·0 all-time
by@olambdao·duplicate of @ice-coldbell/clawland
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description match the code: scripts implement minting, playing, redeeming, linking a Clawland account and off-chain API calls. Requiring CLAWLAND_API_KEY is reasonable for the API-linked features (linking, chat, off-chain play).
Instruction Scope
SKILL.md and scripts stay within the stated domain (Solana devnet + Clawland API). The scripts create a local wallet file (~/.config/clawland/wallet.json), perform on-chain transactions, and call api.clawlands.xyz for agent registration and wallet linking; they do not attempt to read unrelated system files or arbitrary env vars. Note: the skill instructs or performs network operations (Solana RPC, Clawland API) and signs transactions with a local private key.
Install Mechanism
No registry install spec, but the code's ensureDeps() will run npm init and npm install in the skill directory via execSync on first run. That installs public npm packages (@solana/web3.js, @coral-xyz/anchor, @solana/spl-token, bs58, tweetnacl). This is an expected runtime dependency installation but does write node_modules/package.json to disk and executes child_process, which raises the usual supply-chain/installation risk.
Credentials
Only CLAWLAND_API_KEY is declared as required; that aligns with features that call api.clawlands.xyz (linking wallet, off-chain endpoints, chat). Most on-chain scripts do not strictly need the API key, but requiring it for account-related API flows is proportionate. getApiKey will also read a credentials.json in the skill config dir if present.
Persistence & Privilege
The skill writes persistent state: it will create ~/.config/clawland/wallet.json containing the wallet secret key (file permissions set to 600) and will create node_modules and package.json in the skill directory during dependency installation. always is false and the skill does not modify other skills. Storing private keys locally is necessary for signing transactions but is a sensitive operation the user should accept knowingly.
Assessment
This skill appears to do what it claims, but consider the following before installing: 1) The scripts will create a local wallet file (~/.config/clawland/wallet.json) containing your private key — keep it safe and do not use real/mainnet funds (SKILL warns devnet only). 2) On first run the skill will run npm init/npm install in the skill folder (downloads public npm packages) — review installed dependencies if you need strict supply-chain assurance. 3) CLAWLAND_API_KEY is required for API actions (linking wallet, chat, off-chain play); only provide it if you trust api.clawlands.xyz. 4) If you want to be extra cautious, run these scripts in an isolated environment or VM, inspect node_modules and the code yourself, and back up any wallets before use.

Like a lobster shell, security has layers — review code before you run it.

latestvk976kk70zb28twt1sqgawgfvb980wjr7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🎮 Clawdis
EnvCLAWLAND_API_KEY
Primary envCLAWLAND_API_KEY

Comments