x402 Lotto
v1.0.3Access lottery data and services via x402 payment protocol, including listing lotteries, fetching jackpots, purchasing tickets, and checking results.
⭐ 0· 99·0 current·0 all-time
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (lottery actions over the x402 payment protocol) matches the SKILL.md endpoints and example usage. Requiring a wallet key for purchases is plausible. However, the skill references an npm package (@x402/evm) and runtime behavior that are not represented in the registry metadata or install spec, which reduces coherence.
Instruction Scope
SKILL.md's runtime example calls decryptKey(process.env.KEY) and wrapFetchWithPayment(wallet) and performs fetches to https://x402.lotto — it therefore expects access to a private key (KEY env var) and will contact external endpoints. The skill does not declare or explain the KEY env var, how keys are protected, or what network calls will transmit. Instructions give the agent direct guidance to use a sensitive env var and reach out to an external service, which is a scope and data-exposure concern.
Install Mechanism
This is instruction-only with no install spec or code files, yet the example imports '@x402/evm' and suggests 'clawhub install x402-lotto'. There is no package provenance, no declared dependency list, and no authoritative install source. That ambiguity makes installation and runtime behavior unclear and increases risk if an agent or user attempts to fetch unknown packages to satisfy the example.
Credentials
The example explicitly uses process.env.KEY (a likely private key) but the registry lists no required env vars or primary credential. Requiring an undeclared sensitive credential is disproportionate and risky: users may not realize they must supply a private key, and the skill gives no guidance about key handling, scoping, or using a limited/ephemeral wallet.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false, no config paths, no binaries). Autonomous invocation is allowed by default but is not combined with other escalations here.
What to consider before installing
Do not install or run this skill until its source and dependencies are verified. Specific concerns: SKILL.md expects process.env.KEY (likely a private wallet key) but the skill metadata does not declare this — supplying your private key could expose funds. The instructions import '@x402/evm' and call an external domain (x402.lotto) but there is no install spec or code provenance; that could cause you or an agent to fetch and run untrusted code. Before proceeding, ask the publisher for: (1) source repository or package manifest, (2) an explicit list of required env vars (and why), (3) an install script or official package location, and (4) documentation about what data is sent to x402.lotto. If you must test now, use an isolated environment and a throwaway wallet with minimal funds, and do not place real private keys in global environment variables for unverified skills.Like a lobster shell, security has layers — review code before you run it.
latest
x402 Lotto
API client for x402.lotto — lottery services via the x402 payment protocol.
Endpoints
| Endpoint | Method | Description |
|---|---|---|
/api/lotteries | GET | List lotteries |
/api/jackpot/:name | GET | Current jackpot |
/api/tickets | POST | Purchase ticket |
/api/tickets/:id | GET | Ticket status |
/api/results/:name | GET | Draw results |
Usage
import { wrapFetchWithPayment, decryptKey } from '@x402/evm';
const wallet = decryptKey(process.env.KEY);
const fetch = wrapFetchWithPayment(wallet);
const res = await fetch('https://x402.lotto/api/jackpot/eurojackpot');
Payment
Uses x402 protocol — EIP-712 off-chain signing, no gas fees. USDC on Base (8453).
Install
clawhub install x402-lotto
Comments
Loading comments...