Agent Casino
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill openly targets real-money crypto gambling, but it provides agent-usable betting and withdrawal commands with no clear spending safeguards and includes a hard-coded referral code.
Review carefully before installing. This skill is for real cryptocurrency gambling, so only use it if you are comfortable with potential financial loss. Do not let an agent place bets, deposit funds, or withdraw funds without explicit confirmation and hard spending limits. Remove or replace the referral code unless you intentionally want to use it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent follows these instructions with a valid key, it could place bets that lose cryptocurrency or initiate withdrawals without clear guardrails.
The skill documents direct API commands for real-money betting and withdrawals, but does not specify mandatory user approval, spending limits, or safeguards before executing these high-impact actions.
Play provably fair casino games with real cryptocurrency ... curl -X POST https://agent.rollhub.com/api/v1/dice ... -d '{"amount": 100, ...}' ... curl -X POST https://agent.rollhub.com/api/v1/withdraw ...Only use this with explicit user confirmation for every deposit, bet, and withdrawal; set hard bankroll and loss limits; and avoid autonomous execution.
A leaked or mishandled key could allow gambling activity or fund movement on the user's casino account.
The API key is a sensitive credential for a real-money gambling account, yet the registry metadata declares no primary credential or required environment variable.
Save the returned `api_key` (format: `rh_sk_...`). All requests need header: `X-API-Key: <key>`
Treat the API key like a financial credential, store it securely, avoid pasting it into shared chats/logs, and require the skill metadata to declare this credential requirement.
A user or agent copying the setup command may enroll under someone else's referral, causing that party to earn from the user's betting volume.
The registration example includes a fixed referral code, and the same artifact states that referrals earn a share of the house edge, creating a financial incentive that is not clearly disclosed at the point of registration.
-d '{"wallet_address": "your-wallet", "name": "my-agent", "ref": "ref_27fcab61"}' ... Earn 30% of house edge (0.3% of bet volume) on referred agents.Remove the hard-coded referral code or clearly label it as optional and require explicit user consent before using any referral code.