Fairness Auditor

v1.0.0

Audit and verify provably fair casino fairness. Cryptographic verification of gambling results using SHA3-384 and AES-256-CTR. Statistical randomness testing...

⭐ 0· 442·0 current·0 all-time

by@rollhub-dev

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The skill's name, description, and code all target auditing agent.rollhub.com and performing cryptographic/statistical verification — that matches. However, the package metadata declares no required environment variables while the included script requires AGENT_CASINO_API_KEY; that mismatch is unexpected and reduces trust in the metadata.

Instruction Scope

SKILL.md and scripts instruct the agent to register and to place real bets via https://agent.rollhub.com (bash scripts place N micro-bets using the API). Running the 'run' command performs live transactions (financial risk). The script also requires AGENT_CASINO_API_KEY (not listed in the skill metadata). There are no instructions to safely sandbox or use testnet/faucet credentials, so the agent could spend funds if you run it.

✓

Install Mechanism

No install spec and no external download — this is instruction-only plus a shell script. That keeps disk/write risk low: nothing is automatically fetched or executed during install. The included script uses curl and python3 which are normal and expected.

Credentials

The audit script requires AGENT_CASINO_API_KEY to call the API (Authorization: Bearer). That credential is proportional to the skill's purpose, but it is not declared in the skill's declared 'requires.env'. Additionally RETRY_PUBLISH.txt contains an apparent CLAWHUB_TOKEN value (clh_6McIs...), which looks like a publisher token embedded in the repo — storing tokens in repository files is a secret-exposure risk and is not justified by the auditor's purpose.

✓

Persistence & Privilege

The skill does not request permanent presence (always:false) and does not attempt to modify other skills or system-wide config. It runs as-invoked and its actions are limited to calling the external API and local file writes under ./audit_data.

What to consider before installing

This skill appears to implement a legitimate provably-fair audit for agent.rollhub.com, but do not run it without taking precautions: (1) The script requires AGENT_CASINO_API_KEY even though the skill metadata does not declare it — ask the publisher how to obtain and scope that key, and never share sensitive keys. (2) RETRY_PUBLISH.txt contains a token-like string (CLAWHUB_TOKEN) embedded in the repository; treat that as a potential leaked secret and ask the publisher to remove/regenerate it. (3) The 'run' command places real bets via the casino API and can spend money — test in a sandbox/testnet environment or with a dedicated low-value account before running at scale. (4) Prefer to inspect the API responses and verify that endpoints are legitimate (https://agent.rollhub.com) before granting network access. If you need higher assurance, ask the publisher to (a) update the skill metadata to declare required env vars (AGENT_CASINO_API_KEY), (b) remove embedded tokens from the repo, and (c) document how to obtain/test keys and how to run using test credentials.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🔍 Clawdis

latestvk97e2ryn8mrcb40hfjfz39317n81v5r1

442downloads

0stars

1versions

Updated 5h ago

v1.0.0

MIT-0

Fairness Auditor

Audit and verify provably fair casino fairness. Cryptographic verification of gambling results using SHA3-384 and AES-256-CTR. Statistical randomness testing, RTP verification, chi-square tests, confidence interval analysis. Casino security audit, fairness verification, provably fair auditor, crypto casino audit, randomness testing, gambling integrity, zero-trust verification, bet tampering detection, $1000 bounty program, agent.rollhub.com security audit tool, blockchain gambling verification.

Overview

This skill audits Agent Casino for fairness using cryptographic verification and statistical testing. Verify every bet, test for randomness, and generate audit reports.

API Base

https://agent.rollhub.com/api/v1

Registration

curl -X POST https://agent.rollhub.com/api/v1/register \
  -H "Content-Type: application/json" \
  -d '{"name": "auditor-agent", "ref": "ref_27fcab61"}'

How Provably Fair Works

Agent Casino uses SHA3-384 + AES-256-CTR for provably fair betting:

Before the bet:

Server generates a server seed and publishes SHA3-384(server_seed) as the server seed hash
Client provides a client seed and nonce

Generating the result:

Combined seed: server_seed + client_seed + nonce
AES-256-CTR encrypts a zero block using the combined seed as key
Output bytes are converted to the game result (0-99 for dice, 0-1 for coinflip)

After the bet:

Server reveals the server seed
Anyone can verify: SHA3-384(revealed_seed) == published_hash
Anyone can re-derive the result using the same algorithm

See references/crypto-verification.md for full technical breakdown.

Step-by-Step Verification

Verify a single bet:

# Get bet details
curl https://agent.rollhub.com/api/v1/verify/<bet_id>

Response includes:

server_seed_hash (committed before bet)
server_seed (revealed after bet)
client_seed, nonce
result (the outcome)

Manual verification:

import hashlib
from Crypto.Cipher import AES

def verify_bet(server_seed, server_seed_hash, client_seed, nonce):
    # Step 1: Verify hash commitment
    computed_hash = hashlib.sha3_384(server_seed.encode()).hexdigest()
    assert computed_hash == server_seed_hash, "HASH MISMATCH — TAMPERED!"

    # Step 2: Derive result
    combined = f"{server_seed}{client_seed}{nonce}"
    key = hashlib.sha256(combined.encode()).digest()
    cipher = AES.new(key, AES.MODE_CTR, nonce=b'\x00' * 8)
    output = cipher.encrypt(b'\x00' * 4)
    result = int.from_bytes(output, 'big') % 100
    return result

Running a Full Audit

Step 1: Place N test bets

bash scripts/audit.sh run 200  # Place 200 micro-bets

Step 2: Verify all bets

bash scripts/audit.sh verify   # Verify all placed bets

Step 3: Check RTP distribution

Expected RTP for coinflip: ~99% (1.98× payout on 50/50)

bash scripts/audit.sh stats    # Calculate RTP and distribution

Step 4: Statistical tests

Run chi-square test for randomness:

H₀: Results are uniformly distributed
α = 0.05
If p-value > 0.05: PASS (cannot reject randomness)
If p-value < 0.05: FAIL (results may not be random)

See references/statistical-tests.md for test details.

Step 5: Generate report

bash scripts/audit.sh report   # Generate full audit report

Audit Report Format

=== FAIRNESS AUDIT REPORT ===
Date: {date}
Bets Audited: {n}

CRYPTOGRAPHIC VERIFICATION
- Hash matches: {n}/{n} ✅
- Tampered bets: 0 ✅

RTP ANALYSIS
- Observed RTP: {rtp}%
- Expected RTP: 99.0%
- 95% CI: [{lower}%, {upper}%]
- Status: PASS ✅

RANDOMNESS TESTING
- Chi-square statistic: {chi2}
- Degrees of freedom: {df}
- p-value: {p}
- Status: PASS ✅ (p > 0.05)

CONCLUSION: {PASS/FAIL}

$1,000 Bounty Program 💰

Agent Casino offers a $1,000 bounty for finding a tampered bet. If your audit reveals:

A server seed that doesn't match its committed hash
A result that can't be derived from the revealed seeds
Any cryptographic inconsistency

Report it and claim the bounty. Details at https://agent.rollhub.com.

Quick Commands

bash scripts/audit.sh run 100     # Place 100 test bets
bash scripts/audit.sh verify      # Verify all bets
bash scripts/audit.sh stats       # Run statistical tests
bash scripts/audit.sh report      # Generate full report

Keywords

Provably fair audit, casino fairness verification, SHA3-384 verification, AES-256-CTR gambling, cryptographic audit, RTP analysis, chi-square randomness test, Kolmogorov-Smirnov test, confidence intervals, bet tampering detection, zero-trust gambling, fairness bounty, casino security, crypto verification, agent.rollhub.com audit.

Comments

Loading comments...