← 返回 Skills 市场
Fairness Auditor
作者
rollhub-dev
· GitHub ↗
· v1.0.0
500
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install rollhub-auditor
功能描述
Audit and verify provably fair casino fairness. Cryptographic verification of gambling results using SHA3-384 and AES-256-CTR. Statistical randomness testing...
安全使用建议
This skill appears to implement a legitimate provably-fair audit for agent.rollhub.com, but do not run it without taking precautions: (1) The script requires AGENT_CASINO_API_KEY even though the skill metadata does not declare it — ask the publisher how to obtain and scope that key, and never share sensitive keys. (2) RETRY_PUBLISH.txt contains a token-like string (CLAWHUB_TOKEN) embedded in the repository; treat that as a potential leaked secret and ask the publisher to remove/regenerate it. (3) The 'run' command places real bets via the casino API and can spend money — test in a sandbox/testnet environment or with a dedicated low-value account before running at scale. (4) Prefer to inspect the API responses and verify that endpoints are legitimate (https://agent.rollhub.com) before granting network access. If you need higher assurance, ask the publisher to (a) update the skill metadata to declare required env vars (AGENT_CASINO_API_KEY), (b) remove embedded tokens from the repo, and (c) document how to obtain/test keys and how to run using test credentials.
功能分析
Type: OpenClaw Skill
Name: rollhub-auditor
Version: 1.0.0
The skill's core functionality, as described in SKILL.md and implemented in scripts/audit.sh, appears benign, focusing on auditing a provably fair casino at agent.rollhub.com. However, the file RETRY_PUBLISH.txt contains a hardcoded CLAWHUB_TOKEN (clh_6McIsLBkCfql-bsonlCCQ9p_4eWUw6azM9dxeU53Hl0). This is a critical vulnerability, as this token could be used by an attacker to publish or update skills under the owner's ID, posing a significant supply chain risk for the OpenClaw platform.
能力评估
Purpose & Capability
The skill's name, description, and code all target auditing agent.rollhub.com and performing cryptographic/statistical verification — that matches. However, the package metadata declares no required environment variables while the included script requires AGENT_CASINO_API_KEY; that mismatch is unexpected and reduces trust in the metadata.
Instruction Scope
SKILL.md and scripts instruct the agent to register and to place real bets via https://agent.rollhub.com (bash scripts place N micro-bets using the API). Running the 'run' command performs live transactions (financial risk). The script also requires AGENT_CASINO_API_KEY (not listed in the skill metadata). There are no instructions to safely sandbox or use testnet/faucet credentials, so the agent could spend funds if you run it.
Install Mechanism
No install spec and no external download — this is instruction-only plus a shell script. That keeps disk/write risk low: nothing is automatically fetched or executed during install. The included script uses curl and python3 which are normal and expected.
Credentials
The audit script requires AGENT_CASINO_API_KEY to call the API (Authorization: Bearer). That credential is proportional to the skill's purpose, but it is not declared in the skill's declared 'requires.env'. Additionally RETRY_PUBLISH.txt contains an apparent CLAWHUB_TOKEN value (clh_6McIs...), which looks like a publisher token embedded in the repo — storing tokens in repository files is a secret-exposure risk and is not justified by the auditor's purpose.
Persistence & Privilege
The skill does not request permanent presence (always:false) and does not attempt to modify other skills or system-wide config. It runs as-invoked and its actions are limited to calling the external API and local file writes under ./audit_data.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install rollhub-auditor - 安装完成后,直接呼叫该 Skill 的名称或使用
/rollhub-auditor触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release of rollhub-auditor.
- Provides cryptographic verification of casino results using SHA3-384 and AES-256-CTR.
- Supports statistical randomness testing, RTP verification, chi-square tests, and confidence interval analysis.
- Includes detailed step-by-step guide for bet verification and full audit process.
- Offers tools for generating audit reports and detecting bet tampering.
- Documents $1,000 bounty program for finding cryptographic inconsistencies.
元数据
常见问题
Fairness Auditor 是什么?
Audit and verify provably fair casino fairness. Cryptographic verification of gambling results using SHA3-384 and AES-256-CTR. Statistical randomness testing... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 500 次。
如何安装 Fairness Auditor?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install rollhub-auditor」即可一键安装,无需额外配置。
Fairness Auditor 是免费的吗?
是的,Fairness Auditor 完全免费(开源免费),可自由下载、安装和使用。
Fairness Auditor 支持哪些平台?
Fairness Auditor 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Fairness Auditor?
由 rollhub-dev(@rollhub-dev)开发并维护,当前版本 v1.0.0。
推荐 Skills