Blinko
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says, but it can let an agent place real on-chain ETH bets using a wallet private key, so it needs careful limits.
Install only if you intentionally want an agent to gamble on-chain. Use a dedicated hot wallet with a very small balance, set explicit spending limits, require approval before each play, and verify the Blinko API, contract address, RPC endpoint, and npm dependency before funding the wallet.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could place bets and spend ETH plus gas from the configured wallet, including repeated losses if invoked multiple times.
This matters because the skill authorizes autonomous agent use for financial blockchain transactions, but the artifacts do not require explicit user approval for each bet or define a cumulative spending limit.
**This skill signs on-chain transactions that spend real ETH.** ... Agents can invoke this skill autonomously when installed.
Use only a dedicated low-balance hot wallet, set an explicit per-session budget, and require human approval before each play transaction or disable autonomous invocation.
If the wallet key belongs to a valuable wallet, the skill can use that wallet to sign real transactions for the Blinko flow.
This confirms the script loads a raw wallet private key from the environment to sign messages and transactions. That is expected for this on-chain game, but the key grants broad wallet authority.
const pk = process.env.WALLET_PRIVATE_KEY; ... const wallet = new ethers.Wallet(loadKey(), new ethers.JsonRpcProvider(RPC, CHAIN));
Never use a main wallet or high-value private key; create a dedicated hot wallet with only the amount you are willing to lose.
A future dependency resolution could install a different ethers version than the author tested.
The transaction-signing dependency is installed from npm with a semver range rather than a lockfile-pinned exact version. This is normal for a Node skill, but dependency integrity matters for wallet-signing code.
"dependencies": { "ethers": "^6.0.0" }Install from trusted registries, consider using a lockfile or exact dependency version, and review dependency changes before using a funded wallet.