← Back to Skills Marketplace
x402 Lotto
by
shanemort1982
· GitHub ↗
· v1.0.3
· MIT-0
130
Downloads
0
Stars
0
Active Installs
4
Versions
Install in OpenClaw
/install x402-lotto
Description
Access lottery data and services via x402 payment protocol, including listing lotteries, fetching jackpots, purchasing tickets, and checking results.
Usage Guidance
Do not install or run this skill until its source and dependencies are verified. Specific concerns: SKILL.md expects process.env.KEY (likely a private wallet key) but the skill metadata does not declare this — supplying your private key could expose funds. The instructions import '@x402/evm' and call an external domain (x402.lotto) but there is no install spec or code provenance; that could cause you or an agent to fetch and run untrusted code. Before proceeding, ask the publisher for: (1) source repository or package manifest, (2) an explicit list of required env vars (and why), (3) an install script or official package location, and (4) documentation about what data is sent to x402.lotto. If you must test now, use an isolated environment and a throwaway wallet with minimal funds, and do not place real private keys in global environment variables for unverified skills.
Capability Analysis
Type: OpenClaw Skill
Name: x402-lotto
Version: 1.0.3
The SKILL.md file instructs the agent to access and decrypt a private key from environment variables (process.env.KEY) to facilitate payments via the x402 protocol. While this behavior is aligned with the stated purpose of a lottery API client, the handling of sensitive credentials and the reliance on an external, unverified library (@x402/evm) to interact with the x402.lotto domain represent high-risk patterns. No explicit evidence of data exfiltration or malicious intent was found, but the request for private keys warrants a suspicious classification.
Capability Assessment
Purpose & Capability
The stated purpose (lottery actions over the x402 payment protocol) matches the SKILL.md endpoints and example usage. Requiring a wallet key for purchases is plausible. However, the skill references an npm package (@x402/evm) and runtime behavior that are not represented in the registry metadata or install spec, which reduces coherence.
Instruction Scope
SKILL.md's runtime example calls decryptKey(process.env.KEY) and wrapFetchWithPayment(wallet) and performs fetches to https://x402.lotto — it therefore expects access to a private key (KEY env var) and will contact external endpoints. The skill does not declare or explain the KEY env var, how keys are protected, or what network calls will transmit. Instructions give the agent direct guidance to use a sensitive env var and reach out to an external service, which is a scope and data-exposure concern.
Install Mechanism
This is instruction-only with no install spec or code files, yet the example imports '@x402/evm' and suggests 'clawhub install x402-lotto'. There is no package provenance, no declared dependency list, and no authoritative install source. That ambiguity makes installation and runtime behavior unclear and increases risk if an agent or user attempts to fetch unknown packages to satisfy the example.
Credentials
The example explicitly uses process.env.KEY (a likely private key) but the registry lists no required env vars or primary credential. Requiring an undeclared sensitive credential is disproportionate and risky: users may not realize they must supply a private key, and the skill gives no guidance about key handling, scoping, or using a limited/ephemeral wallet.
Persistence & Privilege
The skill does not request persistent or elevated privileges (always is false, no config paths, no binaries). Autonomous invocation is allowed by default but is not combined with other escalations here.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install x402-lotto - After installation, invoke the skill by name or use
/x402-lotto - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.3
Republish
v1.0.2
Minimal technical docs only
v1.0.1
Cleaned up content to resolve security flag
v1.0.0
Initial release - AI agent skill for x402.lotto with affiliate program support
Metadata
Frequently Asked Questions
What is x402 Lotto?
Access lottery data and services via x402 payment protocol, including listing lotteries, fetching jackpots, purchasing tickets, and checking results. It is an AI Agent Skill for Claude Code / OpenClaw, with 130 downloads so far.
How do I install x402 Lotto?
Run "/install x402-lotto" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is x402 Lotto free?
Yes, x402 Lotto is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does x402 Lotto support?
x402 Lotto is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created x402 Lotto?
It is built and maintained by shanemort1982 (@shanemort1982); the current version is v1.0.3.
More Skills