Security Audit

clawdcasino

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

clawdcasino received a trust score of 54/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 8 findings: 0 critical, 0 high, 6 medium, and 2 low severity. Key findings include Suspicious import: requests, Private key printed to console if not saved to .env, API key printed to console if not saved to .env.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Static Code Analysis layer scored lowest at 58/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

58%

Dependency Graph

100%

LLM Behavioral Safety

96%

Behavioral Risk Signals

Network Access

6 findings

Shell Execution

1 finding

Excessive Permissions

6 findings

Security Findings8

Severity	Finding	Layer	Location
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/synthpolis/clawdcasino/script/approve.py:21
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/synthpolis/clawdcasino/script/balance.py:17
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/synthpolis/clawdcasino/script/pvp.py:17
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/synthpolis/clawdcasino/script/register.py:20
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/synthpolis/clawdcasino/script/roulette.py:15
MEDIUM	Suspicious import: requests Import of 'requests' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/synthpolis/clawdcasino/script/version.py:13
LOW	Private key printed to console if not saved to .env The `script/wallet_gen.py` script prints the generated private key directly to standard output if the `--save` flag is not used. This exposes the private key on the console, which could be captured by logging systems or visible to unauthorized individuals if the execution environment is not secure. While the skill recommends using `--save` to mitigate this, the default behavior without it presents a risk of credential exposure. Ensure that sensitive information like private keys is never printed to standard output unless explicitly requested by a user in a secure, interactive session, and even then, with strong warnings. Consider masking the key or requiring explicit confirmation to display it, even when `--save` is not used.	LLM	script/wallet_gen.py:100
LOW	API key printed to console if not saved to .env The `script/register.py` script prints the generated API key directly to standard output if the `--save` flag is not used. Similar to the private key, this exposes the API key on the console, which could be captured by logging systems or visible to unauthorized individuals. While the skill recommends using `--save` to mitigate this, the default behavior without it presents a risk of credential exposure. Ensure that sensitive information like API keys is never printed to standard output unless explicitly requested by a user in a secure, interactive session, and even then, with strong warnings. Consider masking the key or requiring explicit confirmation to display it, even when `--save` is not used.	LLM	script/register.py:120

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/26f4c90407cb6378.svg)](https://skillshield.io/report/26f4c90407cb6378)