Fairness Auditor
WarnAudited by ClawScan on May 10, 2026.
Overview
Review before installing: this skill can place many casino bets with an API key, its verification script trusts the casino’s own response, and the package contains a leaked publish token.
Only use this after confirming the casino API key’s permissions and the cost of each bet. Do not run the betting command unless you explicitly want to wager funds, and do not rely on the generated report as independent cryptographic proof until the verifier recomputes the results locally. The publisher should also rotate the exposed ClawHub token before this skill is trusted.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could unintentionally spend casino balance by placing many bets during an audit.
Running the script with no command defaults to placing 100 authenticated bets, and there is no confirmation, spending cap, or dry-run before repeated wagering.
CMD="${1:-run}" ... N="${2:-100}" ... curl -s -X POST "$API_BASE/bet" ... -d '{"game": "coinflip", "amount": 1, "choice": "heads"}'Change the default to a non-mutating command, require explicit user confirmation for betting, show the total possible cost, cap N and amount, and provide a dry-run or read-only audit path.
Users may not realize the skill needs an account credential that can authorize betting actions.
The script requires and uses a bearer API key even though the registry metadata declares no required environment variables or primary credential.
if [ -z "$AGENT_CASINO_API_KEY" ]; then ... exit 1 ... -H "Authorization: Bearer $AGENT_CASINO_API_KEY"
Declare AGENT_CASINO_API_KEY in metadata, document its scope and risks, prefer the least-privileged or read-only token possible, and separate verification from betting authority.
If the token is valid, someone could misuse it to publish or tamper with packages under that account or project.
A plaintext ClawHub publish token is included in the distributed artifact.
CLAWHUB_TOKEN=clh_... npx clawhub publish ./rollhub-auditor
Immediately revoke and rotate the token, remove RETRY_PUBLISH.txt from the package and repository history, and republish a clean version.
The report may give false confidence that bets were independently audited when the target service effectively verified itself.
The advertised cryptographic audit is implemented by trusting the casino service’s own verification response rather than independently recalculating the hash and result.
VERIFY=$(curl -s "$API_BASE/verify/$BET_ID" ...); STATUS=$(echo "$VERIFY" | python3 -c "... d.get('verified',False) ...")Fetch the revealed seed data and locally recompute SHA3-384 commitments and AES-CTR results; label server-side verify responses as informational only.