ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gambling

v1.0.0

Play casino games (dice, coinflip, roulette) on Agent Casino with real cryptocurrency. Provably fair gambling API for AI agents. Use when the user wants to g...

0· 434·0 current·0 all-time
by@rollhub-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md describes playing provably-fair crypto casino games via agent.rollhub.com (register, deposit, bet, verify, withdraw, affiliate). The declared purpose aligns with the runtime instructions and required network calls.
Instruction Scope
Instructions are narrowly scoped to the Agent Casino API (agent.rollhub.com). They do not instruct reading local files, other env vars, or sending data to unrelated endpoints. All API endpoints and payload fields are described explicitly.
Install Mechanism
This is an instruction-only skill with no install spec and no code files; nothing is written to disk by the skill package itself.
!
Credentials
The SKILL.md requires an API key (rh_sk_...) and client_secret/client_seed values for provable fairness, but the skill metadata declares no required environment variables or a primary credential. That mismatch means there is no declared, managed way for the agent platform to store or protect the API key—this is a missing/undeclared secret requirement that matters because the API key grants control over real funds.
Persistence & Privilege
always is false (good) but model-invocation is enabled (default), meaning the agent could autonomously call the API and place bets if it obtains an API key. With real-money gambling, autonomous invocation increases risk; the skill does not request system-wide persistence or modify other skills.
What to consider before installing
This skill interfaces with a real-money crypto casino. Before installing: 1) Verify the operator (agent.rollhub.com) independently — the skill listing has no homepage and unknown source/publisher. 2) Do not give your API key to untrusted skills; the skill metadata fails to declare how the key should be stored. 3) Consider disabling autonomous invocation or restricting the skill so it cannot place bets without explicit user confirmation — an agent with the API key could gamble funds automatically. 4) Test flows with very small deposits first and confirm withdraw/verification behavior. 5) If you proceed, ensure the API key is stored securely (use platform-managed secrets if available) and review terms/affiliate implications. If you want, I can suggest safe guard settings or a checklist to reduce risk before enabling this skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk97ehvcy068cxr5zpfn5twpr1h81t5pe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments