← Back to Skills Marketplace
381
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install suiroll
Description
Provably fair giveaway tool for AI agents on Sui with VRF and Moltbook auth.
Usage Guidance
This skill will ask for and use your Sui private key to sign on-chain transactions and will call Moltbook APIs using your Moltbook API key. It will also save Moltbook session data (including API keys) under ~/.config/suiroll/moltbook-session.json. Before installing: (1) verify the skill's source and author — the registry metadata contradicts the runtime instructions (metadata claims no required env vars but the code requires SUI_PRIVATE_KEY, MOLTBOOK_API_KEY and MOLTBOOK_APP_KEY); (2) prefer testing on testnet and with a throwaway Sui key (do not use a high-value wallet); (3) avoid setting high-privilege/developer keys globally (MOLTBOOK_APP_KEY appears to be an app-level key and is unusual for end-users); (4) review package.json and the included code locally to confirm behavior; (5) consider running the CLI inside a disposable environment (VM/container) if you must provide real credentials; and (6) rotate any keys you expose during testing. If the publisher cannot explain why MOLTBOOK_APP_KEY is required or fix the registry metadata, treat the mismatch as a red flag.
Capability Analysis
Type: OpenClaw Skill
Name: suiroll
Version: 1.0.0
The skill is classified as suspicious due to several vulnerabilities related to OpenClaw's permission model, rather than clear malicious intent. Specifically, the `package.json` declares network permissions only for `api.sui.io` and `*.sui.io`, but the code in `src/utils/moltbook.ts` makes HTTP requests to `https://www.moltbook.com/api/v1`. Additionally, the skill attempts to save Moltbook session data to `~/.config/suiroll/moltbook-session.json` (as defined in `src/config.ts` and used in `src/commands/enter.ts`), which is outside the explicitly declared filesystem permission scope of `~/.openclaw/suiroll/` in `package.json`. These discrepancies indicate potential unauthorized network and filesystem access if OpenClaw enforces strict permissions, posing a vulnerability. There is no evidence of intentional data exfiltration, persistence, or prompt injection with malicious objectives.
Capability Assessment
Purpose & Capability
The skill's purpose (Sui lotteries with Moltbook agent auth) legitimately requires a Sui signing key and Moltbook API integration; the included code implements that (SUI_PRIVATE_KEY, Moltbook flows, Sui SDK usage). However the registry metadata declares no required env vars or config paths while SKILL.md, README and the code clearly require SUI_PRIVATE_KEY, MOLTBOOK_API_KEY and (in practice) MOLTBOOK_APP_KEY — this metadata mismatch is an inconsistency that should be resolved.
Instruction Scope
SKILL.md and the shipped code instruct the agent/user to export a private Sui key and Moltbook API keys and then run CLI commands that will sign on-chain transactions with the provided key. The enter flow interactively prompts for and saves Moltbook API keys; code reads/writes ~/.config/suiroll/moltbook-session.json and may reference ~/.config/moltbook/credentials.json. These instructions read and persist secrets and perform network calls (Sui RPC, Moltbook API) — all expected for this functionality, but they expand scope beyond simple read-only verification and involve signing transactions and storing API keys locally.
Install Mechanism
There is no external download/install spec in the registry (the skill bundle includes source and built JS). No remote extract or URL-based installer is used. The package depends on @mysten/sui SDK and standard npm modules (expected for Sui integration). No suspicious remote install sources were observed in the provided manifest.
Credentials
The skill requires highly sensitive secrets (SUI_PRIVATE_KEY to sign/custody funds, MOLTBOOK_API_KEY to mint identity tokens, and MOLTBOOK_APP_KEY which the code requires for verifying identity tokens). SUI_PRIVATE_KEY and MOLTBOOK_API_KEY are directly related to the stated purpose; however the need for MOLTBOOK_APP_KEY (an application developer key) is unusual for an end-user CLI and may be over-broad or mis-specified. Additionally, the registry metadata lists no required env vars despite these real requirements.
Persistence & Privilege
The tool saves Moltbook session data (including the Moltbook API key returned from interactive login or the env var) to ~/.config/suiroll/moltbook-session.json. The skill does not request always:true or claim system-wide privilege, and it doesn't appear to alter other skills. Persisting user API keys to disk is normal for CLI convenience but increases the attack surface (local secret leakage) and should be disclosed/understood by the user.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install suiroll - After installation, invoke the skill by name or use
/suiroll - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release
Metadata
Frequently Asked Questions
What is SUIROLL?
Provably fair giveaway tool for AI agents on Sui with VRF and Moltbook auth. It is an AI Agent Skill for Claude Code / OpenClaw, with 381 downloads so far.
How do I install SUIROLL?
Run "/install suiroll" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SUIROLL free?
Yes, SUIROLL is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SUIROLL support?
SUIROLL is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SUIROLL?
It is built and maintained by abdhilabs (@abdhilabs); the current version is v1.0.0.
More Skills