Gambling
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill enables real-money crypto gambling and withdrawals through direct API calls without clear spending or approval safeguards, and it includes a hardcoded referral code.
Do not install this unless you intentionally want an agent to interact with a real-money crypto gambling service. If used, create a dedicated low-balance account, omit the referral code unless desired, protect the API key, and require explicit approval for every deposit, bet, and withdrawal.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could place bets or initiate withdrawals using real funds if a user provides an API key, creating risk of financial loss.
The skill documents direct API calls that can wager and withdraw real cryptocurrency, but does not require explicit per-bet or per-withdrawal user approval, spending limits, or other controls.
Play provably fair casino games with real cryptocurrency ... curl -X POST https://agent.rollhub.com/api/v1/dice ... -d '{"amount": 100,...}' ... curl -X POST https://agent.rollhub.com/api/v1/withdraw ...Only use this with explicit user confirmation for each financial action, clear maximum bet/loss limits, and a dedicated low-balance account.
Anyone or any agent process with the key may be able to act on the gambling account and affect funds.
The API key appears to authorize all gambling account requests, including balance, bets, deposits, and withdrawals, but the artifacts do not define credential scope, storage, or safe handling.
Save the returned `api_key` (format: `rh_sk_...`). All requests need header: `X-API-Key: <key>`
Use a dedicated API key/account with minimal funds, do not store the key in shared memory or logs, and require confirmation before any use that moves or risks money.
A user may unknowingly register through someone else’s referral link, potentially generating affiliate revenue from their gambling activity.
The registration example includes a specific referral code while the same document explains that referrals can earn a share of house edge, creating a financial incentive that is not clearly disclosed as belonging to the skill publisher or another party.
-d '{"wallet_address": "your-wallet", "name": "my-agent", "ref": "ref_27fcab61"}' ... Earn 30% of house edge ... on referred agents.Remove the referral code unless the user explicitly chooses it, and clearly disclose who benefits from any referral relationship.