← Back to Skills Marketplace
Fairness Auditor
by
rollhub-dev
· GitHub ↗
· v1.0.0
500
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install rollhub-auditor
Description
Audit and verify provably fair casino fairness. Cryptographic verification of gambling results using SHA3-384 and AES-256-CTR. Statistical randomness testing...
Usage Guidance
This skill appears to implement a legitimate provably-fair audit for agent.rollhub.com, but do not run it without taking precautions: (1) The script requires AGENT_CASINO_API_KEY even though the skill metadata does not declare it — ask the publisher how to obtain and scope that key, and never share sensitive keys. (2) RETRY_PUBLISH.txt contains a token-like string (CLAWHUB_TOKEN) embedded in the repository; treat that as a potential leaked secret and ask the publisher to remove/regenerate it. (3) The 'run' command places real bets via the casino API and can spend money — test in a sandbox/testnet environment or with a dedicated low-value account before running at scale. (4) Prefer to inspect the API responses and verify that endpoints are legitimate (https://agent.rollhub.com) before granting network access. If you need higher assurance, ask the publisher to (a) update the skill metadata to declare required env vars (AGENT_CASINO_API_KEY), (b) remove embedded tokens from the repo, and (c) document how to obtain/test keys and how to run using test credentials.
Capability Analysis
Type: OpenClaw Skill
Name: rollhub-auditor
Version: 1.0.0
The skill's core functionality, as described in SKILL.md and implemented in scripts/audit.sh, appears benign, focusing on auditing a provably fair casino at agent.rollhub.com. However, the file RETRY_PUBLISH.txt contains a hardcoded CLAWHUB_TOKEN (clh_6McIsLBkCfql-bsonlCCQ9p_4eWUw6azM9dxeU53Hl0). This is a critical vulnerability, as this token could be used by an attacker to publish or update skills under the owner's ID, posing a significant supply chain risk for the OpenClaw platform.
Capability Assessment
Purpose & Capability
The skill's name, description, and code all target auditing agent.rollhub.com and performing cryptographic/statistical verification — that matches. However, the package metadata declares no required environment variables while the included script requires AGENT_CASINO_API_KEY; that mismatch is unexpected and reduces trust in the metadata.
Instruction Scope
SKILL.md and scripts instruct the agent to register and to place real bets via https://agent.rollhub.com (bash scripts place N micro-bets using the API). Running the 'run' command performs live transactions (financial risk). The script also requires AGENT_CASINO_API_KEY (not listed in the skill metadata). There are no instructions to safely sandbox or use testnet/faucet credentials, so the agent could spend funds if you run it.
Install Mechanism
No install spec and no external download — this is instruction-only plus a shell script. That keeps disk/write risk low: nothing is automatically fetched or executed during install. The included script uses curl and python3 which are normal and expected.
Credentials
The audit script requires AGENT_CASINO_API_KEY to call the API (Authorization: Bearer). That credential is proportional to the skill's purpose, but it is not declared in the skill's declared 'requires.env'. Additionally RETRY_PUBLISH.txt contains an apparent CLAWHUB_TOKEN value (clh_6McIs...), which looks like a publisher token embedded in the repo — storing tokens in repository files is a secret-exposure risk and is not justified by the auditor's purpose.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not attempt to modify other skills or system-wide config. It runs as-invoked and its actions are limited to calling the external API and local file writes under ./audit_data.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install rollhub-auditor - After installation, invoke the skill by name or use
/rollhub-auditor - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release of rollhub-auditor.
- Provides cryptographic verification of casino results using SHA3-384 and AES-256-CTR.
- Supports statistical randomness testing, RTP verification, chi-square tests, and confidence interval analysis.
- Includes detailed step-by-step guide for bet verification and full audit process.
- Offers tools for generating audit reports and detecting bet tampering.
- Documents $1,000 bounty program for finding cryptographic inconsistencies.
Metadata
Frequently Asked Questions
What is Fairness Auditor?
Audit and verify provably fair casino fairness. Cryptographic verification of gambling results using SHA3-384 and AES-256-CTR. Statistical randomness testing... It is an AI Agent Skill for Claude Code / OpenClaw, with 500 downloads so far.
How do I install Fairness Auditor?
Run "/install rollhub-auditor" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Fairness Auditor free?
Yes, Fairness Auditor is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Fairness Auditor support?
Fairness Auditor is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Fairness Auditor?
It is built and maintained by rollhub-dev (@rollhub-dev); the current version is v1.0.0.
More Skills