Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Blinko
v1.1.1Play Blinko (on-chain Plinko) headlessly on Abstract chain. Use when an agent wants to play Blinko games, check game stats, view leaderboards, or track honey rewards. Handles the full commit-reveal flow including API auth, on-chain game creation, simulation, and settlement.
⭐ 2· 1.1k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name/description and included scripts (play-blinko.js, stats.js) are coherent: the skill logs in, requests a server seed, calls createGame/cashOut on the on‑chain contract, and queries stats from api.blinko.gg. However the registry metadata at the top claimed no required env vars, while SKILL.md and the scripts clearly require WALLET_PRIVATE_KEY. That metadata mismatch is an inconsistency the publisher should explain.
Instruction Scope
SKILL.md and the scripts are specific about actions: sign a login message, obtain a JWT, call the Blinko API, call Abstract RPC to create and settle on‑chain games, and show stats. The instructions do not attempt to read unrelated files or hidden credentials. They do transmit signatures and JWTs to api.blinko.gg and send signed transactions to the RPC endpoint (expected for this purpose).
Install Mechanism
There is no installer that downloads arbitrary archives; this is instruction + source files with a simple package.json (ethers dependency). Risk is limited to running npm install / node on the files you download; no obscure remote installers or shortener URLs are used.
Credentials
The skill requires a single, highly sensitive environment variable: WALLET_PRIVATE_KEY (declared in SKILL.md metadata). That is proportionate to playing an on‑chain game, but it grants full control of the wallet's funds. The earlier registry section incorrectly listed no required env vars — this mismatch is concerning. No other credentials are requested, which is expected, but the private key risk is material.
Persistence & Privilege
always:false (good). The skill indicates agents may invoke it autonomously (default platform behavior). Because the skill can sign and submit transactions that spend ETH, autonomous invocation increases risk — consider restricting autonomous use or requiring user confirmation before any transaction is sent.
What to consider before installing
This skill appears to do exactly what it says (play Blinko on Abstract) and contains the code to sign and submit real ETH transactions. Key points before installing: (1) The skill requires your private key (WALLET_PRIVATE_KEY) — this gives full control of that wallet. Use a dedicated hot wallet with only the funds you are willing to lose. (2) Registry metadata omitted the env var; ask the publisher why that mismatch exists and confirm the skill's provenance. (3) The skill talks to hardcoded endpoints (https://api.blinko.gg and https://api.abs.xyz) and a hardcoded contract address — verify those addresses are legitimate before use. (4) If you install, prefer manual invocation (disable autonomous agent actions or require confirmation) and inspect/run the code in an isolated environment. (5) If you only want read‑only info, consider using stats.js with a watch‑only address instead of providing a private key. If you need higher assurance, ask the publisher for a signed source/release or run the scripts on a throwaway wallet with minimal funds first.Like a lobster shell, security has layers — review code before you run it.
latestvk9715d44z1vf3595wqpxwsxpad80zjpt
License
MIT-0
Free to use, modify, and redistribute. No attribution required.