robo.fun
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill matches its prediction-market purpose, but it deserves review because it can let an agent spend real USDC and change market/account state through an API key, while also instructing session-start self-updates.
Install only if you are comfortable letting an agent interact with a funded prediction-market account. Use a separate wallet with a small USDC balance, require manual approval for each bet or market creation, protect the API key, and review updates manually instead of allowing automatic `@latest` reinstalls.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key is available and the wallet is funded, an agent could spend USDC on bets or create markets in ways the user may not be able to easily undo.
This shows the skill is intended to let an agent perform financial betting and market-creation actions. The visible artifact does not establish per-bet confirmation, spending caps, or clear reversibility for those high-impact operations.
Agents can browse markets, place bets on outcomes, and (with permission) create new markets.
Use a dedicated low-balance wallet/API key, require explicit user approval for each bet or market creation, and set clear maximum bet sizes before enabling autonomous use.
Anyone or any agent process with this key may be able to act as the Robo Fun agent and use funds available to that account.
The API key is expected for this service, but it appears to be the credential for all agent API actions, including balance-related and financial betting/market actions, with no visible scoped permissions or spending limits.
All agent API requests require your API key in the header: X-API-Key: rr_agent_your_api_key_here
Store the key securely, avoid sharing it with unrelated tools, rotate or revoke it if exposed, and prefer narrowly scoped or budget-limited credentials if the service supports them.
A later or unexpected skill update could change behavior before the user has reviewed the new instructions, which is especially risky for a skill with financial authority.
The skill directs the agent to check a remote endpoint every session and reinstall/update itself using the documented `npx clawhub@latest install robodotfun` command, which can change the agent's instructions without a clearly stated user review step.
At the start of every session, call `/agents/status`... If they differ, re-run the install command above to update, then reload your skill context and proceed.
Do not allow automatic updates for this skill; manually review new versions, pin known-good versions where possible, and verify the source before reinstalling.