ClawHub

Blinko

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims, but it can let an agent use a wallet private key to place real-money on-chain bets without clear per-game approval controls.

Install only if you explicitly want an agent to play Blinko with real ETH. Use a dedicated low-balance hot wallet, verify the contract/API and dependencies, require manual approval for every game, and remove WALLET_PRIVATE_KEY from the environment when not in use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
High
What this means

If a wallet key is available, an agent could place Blinko bets and spend gas/ETH when it decides to invoke the skill, potentially losing funds.

Why it was flagged

The skill explicitly combines real-money transaction authority with autonomous agent invocation, but the artifacts do not show mandatory user approval before each bet or a total spend limit.

Skill content
**This skill signs on-chain transactions that spend real ETH.** ... Agents can invoke this skill autonomously when installed.
Recommendation

Only install with model invocation disabled or with a strict approval policy, and use a dedicated hot wallet funded only with the amount you are willing to lose.

#
ASI03: Identity and Privilege Abuse
High
What this means

A compromised, overfunded, or reused wallet key could expose more funds than intended to automated betting and transaction fees.

Why it was flagged

The script loads WALLET_PRIVATE_KEY into an ethers wallet and uses it to submit a value-bearing on-chain game transaction, giving the skill direct spending authority for that wallet.

Skill content
const wallet = new ethers.Wallet(loadKey(), new ethers.JsonRpcProvider(RPC, CHAIN)); ... const tx1 = await contract.createGame(params, serverSig, ethers.randomBytes(32), { value: betWei });
Recommendation

Use a fresh, low-balance hot wallet only; never provide a main wallet or wallet with unrelated assets, and remove the key from the agent environment when not actively playing.

#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means

Dependency changes could affect wallet or transaction behavior in a skill that handles real funds.

Why it was flagged

The Ethereum signing dependency is expected for this skill, but it is specified as a semver range without a supplied lockfile, so future installs may resolve to different package contents.

Skill content
"dependencies": { "ethers": "^6.0.0" }
Recommendation

Pin and review dependencies before use, ideally with a lockfile and a known-good ethers version.