ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

The Flip Publish

v2.0.3

$1 USDC entry. 14 coin flips. Get all 14 right, take the entire jackpot. Live on Solana devnet — continuous game, enter anytime.

0· 2k·4 current·4 all-time
by@maurodelazeri
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill describes a Solana devnet game and includes on-chain Rust program + a Node demo script — that matches the stated purpose. However the declared requirements only list 'node' while the SKILL.md and code clearly require the Solana CLI, Anchor toolchain, and a Rust toolchain to build/deploy. The repository contains a Rust program (program/src/lib.rs) and Anchor/IDL artifacts, so missing declarations for solana/anchor/rust are inconsistent and suggest incomplete or sloppy metadata.
!
Instruction Scope
SKILL.md instructs the agent/user to install the Solana CLI using sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)" (a third-party URL, not the official solana release host), run solana-keygen, solana airdrop, and optionally post your wallet on a public forum to get test USDC. The demo script reads a local wallet key file (default ~/.config/solana/id.json) or the ANCHOR_WALLET env var and will sign/send transactions. These instructions go beyond mere game interaction (they direct installing remote code and accessing local wallet keys) and do not declare those sensitive accesses.
!
Install Mechanism
There is no formal install spec, but SKILL.md directs running a curl | sh installer from https://release.anza.xyz — which is not a well-known official release host and is high-risk (remote shell execution). The package also requires building/using Anchor/Rust to work with the on-chain program, but that build/install workflow is not captured in declared installs. This is a disproportionate and potentially dangerous install instruction.
!
Credentials
The skill declares no required env vars or config paths, yet the demo script reads wallets from a default path (~/.config/solana/id.json) and honors process.env.ANCHOR_WALLET if set. Access to a local keypair file is necessary to sign transactions, but the metadata omission is misleading. The skill does not ask for unrelated secrets, but it implicitly accesses sensitive local wallet material without declaring it.
Persistence & Privilege
The skill does not request always:true, does not modify other skill configs, and is user-invocable only. There is no evidence the skill requests persistent elevated platform privileges.
What to consider before installing
What to consider before installing: - Do NOT run the curl | sh installer linked in SKILL.md (https://release.anza.xyz). That command executes remote shell code from an untrusted host. If you need the Solana CLI, install it from the project's official instructions (solana.com / official GitHub releases) or your distro's package manager. - The skill will read and use a local Solana keypair (default ~/.config/solana/id.json) or any key file path you pass. That file contains private key material. Use a throwaway devnet-only wallet (create a new keypair) — never point the skill at a wallet that holds real/mainnet funds or private keys. - The package metadata only lists 'node' but the code requires Solana CLI, Anchor, and a Rust toolchain to build the on-chain program/IDL. Expect additional setup steps; the missing declarations are an incoherence you should resolve or ask the publisher to fix. - The demo script signs transactions and can move tokens if you provide a wallet. Review the demo.mjs and the on-chain program (program/src/lib.rs); they appear to implement the game logic and token transfers as described, but you should audit them yourself if you will provide a real wallet. - Avoid posting private keys anywhere. The SKILL.md suggests posting a wallet address on a forum to receive test USDC — posting a public address is OK, but never post the private key. - If you want to proceed safely: (1) create a new devnet-only wallet, (2) do not run any unknown remote installer, (3) install Solana/Anchor from official sources, (4) run the demo in an isolated environment (container/VM), and (5) consider building/reviewing the on-chain program yourself or interacting only via the public API endpoints and a wallet you control. Bottom line: the code aligns with the described game, but the presence of an untrusted remote installer instruction and missing dependency/credential declarations make this package suspicious until those issues are fixed or you take the recommended safety precautions.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🎰 Clawdis
Binsnode
latestvk974qdqg0z1shh9yx3re7bjp5n80h0kj
2kdownloads
0stars
5versions
Updated 13m ago
v2.0.3
MIT-0
@maurodelazeri
latest
Download

🎰 THE FLIP

$1 USDC. 14 coin flips. Get all 14 right → take the entire jackpot.

No rounds. No entry windows. The game never stops. Enter anytime, and your ticket rides the next 14 global flips. Winner takes the entire pot.

Commands

1. Check game status

node app/demo.mjs status

Returns: jackpot amount, global flip count, total entries, recent flip results.

2. Enter the game

node app/demo.mjs enter HHTHHTTHHTHHTH
# Or with a specific wallet:
node app/demo.mjs enter HHTHHTTHHTHHTH ~/.config/solana/id.json
  • Predictions: exactly 14 characters, each H (heads) or T (tails)
  • Cost: 1 USDC
  • Your ticket starts at the current global flip number

3. Check your ticket

node app/demo.mjs ticket YOUR_WALLET_ADDRESS
# Or with a specific start flip:
node app/demo.mjs ticket YOUR_WALLET_ADDRESS 42

Returns: your predictions, results so far, status (ALIVE/ELIMINATED/WINNER).

4. Claim jackpot (if you got 14/14)

node app/demo.mjs claim YOUR_WALLET_ADDRESS START_FLIP

Only works if all 14 predictions match the flip results.

5. Advance the game (anyone can do this)

node app/demo.mjs flip

Executes the next coin flip. Permissionless — anyone can call.

API (for agents)

Base URL: https://the-flip.vercel.app

GET /api/game

{
  "phase": "active",
  "jackpot": 5.25,
  "globalFlip": 42,
  "totalEntries": 100,
  "totalWins": 2,
  "recentFlips": ["H", "T", "H", "H", "T", ...]
}

GET /api/ticket?wallet=ADDRESS&startFlip=42

{
  "found": true,
  "status": "ALIVE",
  "score": 5,
  "predictions": ["H", "T", "H", ...],
  "flips": [
    {"index": 0, "predicted": "H", "actual": "H", "match": true, "revealed": true},
    ...
  ]
}

Setup (first time only)

# Install skill
clawhub install the-flip
cd the-flip && npm install

# Solana wallet (if you don't have one)
sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)"
export PATH="$HOME/.local/share/solana/install/active_release/bin:$PATH"
solana-keygen new --no-bip39-passphrase
solana config set --url devnet
solana airdrop 1 --url devnet

# Get devnet USDC
# Option A: https://faucet.circle.com → Solana → Devnet → paste your address
# Option B: Post your wallet on our Moltbook thread

Quick Reference

Entry fee1 USDC (devnet)
Predictions14 characters — H or T
FlipsContinuous — permissionless, anyone can call
Jackpot99% of all entries. Winner takes all. Pool resets after win.
Odds1 in 16,384 per entry
Program7rSMKhD3ve2NcR4qdYK5xcbMHfGtEjTgoKCS5Mgx9ECX
USDC Mint4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU
NetworkSolana devnet
VaultPDA — no private key, can't be rugged
Dashboardthe-flip.vercel.app

Source

https://github.com/maurodelazeri/the-flip-publish

All game logic is on-chain. The vault is a PDA — no private key holds funds. Claim is atomic (verify + pay in one tx).

Comments

Loading comments...