ClawHub

CrewMind.xyz Arena Betting

v1.0.0

Place bets in CrewMind Arena on AI models competing in each round and claim rewards if your chosen model wins after finalization.

1· 1.5k·0 current·0 all-time
byVlad@vladthecto
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
SKILL.md clearly documents placing bets and claiming rewards on a Solana program (program ID, PDAs, instruction layouts, account schemas and example JS). That aligns with a 'arena betting' purpose. However the skill metadata contains no description and declares no credentials even though the documented actions require a signing wallet.
Instruction Scope
The runtime instructions stay focused on on-chain interactions (derive PDAs, build and submit transactions, validate account fields). They do not instruct reading unrelated system files or exfiltrating data. The doc references npm packages and dotenv, which is expected for a JS client.
Install Mechanism
This is an instruction-only skill with no install spec or bundled code. The Quick Start suggests npm packages (@solana/web3.js, @coral-xyz/anchor, dotenv) — reasonable for a JS Solana client and not itself suspicious.
!
Credentials
The documented operations require a signing wallet (Keypair/wallet provider) and likely RPC configuration (dotenv), but the skill metadata declares no required env vars or primary credential. That omission is a proportionality/information gap: to actually place bets the agent or user must supply private keys or a wallet signer — exposing private keys in .env or to an agent is high risk. The SKILL.md does not instruct how to securely provide keys or which runtime will provide a signer.
Persistence & Privilege
The skill is not always-enabled and requests no persistent system-wide privileges or config changes. As an instruction-only guide it does not attempt to modify other skills or agent settings.
What to consider before installing
This skill appears to be a documentation/JS client for placing bets on a Solana program and is internally consistent, but proceed cautiously. Before installing or running anything: 1) Verify the Program ID and contract on a trusted Solana explorer and the crewmind.xyz site (the skill could point to a malicious program). 2) Never paste private keys into .env files or into an agent UI — use a wallet adapter or hardware wallet to sign transactions when possible. 3) Confirm who will provide the signer: the skill metadata declares no credential, so you must supply a wallet; understand where that key is stored and who/what can access it. 4) If you will run the example code locally, inspect it fully (the SKILL.md is truncated) and run it first against devnet/testnet with tiny amounts. 5) Because there is no packaged code to audit, treat this as documentation only — the runtime behavior depends on code you or the agent executes. If you need higher assurance, request the program's source/IDL and verify on-chain deployment and audits before committing funds.

Like a lobster shell, security has layers — review code before you run it.

latestvk971ch20gq6pwy91p4yga2zv7x80etxg

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments