ClawHub

Gambling Analyst

v1.0.0

Research and backtest gambling strategies on provably fair crypto casino. Analyze Martingale, Kelly Criterion, D'Alembert, Anti-Martingale, Flat Bet strategi...

0· 653·0 current·0 all-time
by@rollhub-dev
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description (crypto casino strategy backtesting) align with the SKILL.md and the included script, which call agent.rollhub.com endpoints to place and verify bets. This capability legitimately needs network access to the stated API. However, the skill metadata declares no required environment variables or primary credential while both SKILL.md and scripts expect an API key — an inconsistency.
!
Instruction Scope
Runtime instructions explicitly tell the agent (and the user) to place real micro-bets in a loop (curl POST /bet), record/verifiy results, and generate reports. That is coherent with backtesting on live data but has direct financial impact (real wagers). The SKILL.md and scripts send data to an external endpoint (agent.rollhub.com) as expected for the purpose; nonetheless there is no strong safety guidance or sandbox/test-mode suggestion. The instructions do not read unrelated system files, but they do instruct sending possibly many real transactions — this is risky and should be made explicit to users.
Install Mechanism
No install spec — instruction-only plus a small script — so nothing is downloaded or installed at runtime. This reduces supply-chain risk.
!
Credentials
The skill metadata lists no required env vars or primary credential, but scripts and SKILL.md require an API key (examples show 'Authorization: Bearer YOUR_API_KEY' and the bash script requires AGENT_CASINO_API_KEY). This mismatch is a meaningful incoherence: the skill will fail or prompt for credentials at runtime, and the missing declaration prevents pre-install review of requested secrets. Only one credential is needed (API key), which would be proportionate — but it should be declared explicitly.
Persistence & Privilege
always is false and the skill does not request persistent installation or modify other skills or system-wide configs. Autonomous invocation is allowed (platform default) but is not combined with any elevated 'always' setting or additional privileges.
What to consider before installing
This skill will place real bets on agent.rollhub.com if you run it — that can cost real money. The package metadata does not declare the API key it needs (AGENT_CASINO_API_KEY), which is inconsistent and hides the fact that you'll need to provide credentials. The included bash script is fragile and contains bugs (broken Python f-strings and mixed shell/python arithmetic) so it may misreport results or fail. Before installing or running: 1) Do not use your production/real-money API key — test with a sandbox/test key or a mocked endpoint. 2) Review and fix the script locally (correct the Python calls that calculate Win Rate, RTP, and totals) and add error handling/rate limiting. 3) Confirm the API host (https://agent.rollhub.com/api/v1) with the service owner; avoid unknown third‑party endpoints unless you trust them. 4) Ensure you understand financial risk: even 'micro-bets' accumulate costs. 5) Ask the skill author to update metadata to declare AGENT_CASINO_API_KEY as a required credential and to provide an explicit test/sandbox mode. If you can't validate the endpoint or the author, treat this as untrusted and don't run it with real funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk972d00qfdgqzs1pwwkxk7e5cx81rdn7

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📊 Clawdis

Comments