The Flip Publish

$1 USDC entry. 14 coin flips. Get all 14 right, take the entire jackpot. Live on Solana devnet — continuous game, enter anytime.

What to consider before installing: - Do NOT run the curl | sh installer linked in SKILL.md (https://release.anza.xyz). That command executes remote shell code from an untrusted host. If you need the Solana CLI, install it from the project's official instructions (solana.com / official GitHub releases) or your distro's package manager. - The skill will read and use a local Solana keypair (default ~/.config/solana/id.json) or any key file path you pass. That file contains private key material. Use a throwaway devnet-only wallet (create a new keypair) — never point the skill at a wallet that holds real/mainnet funds or private keys. - The package metadata only lists 'node' but the code requires Solana CLI, Anchor, and a Rust toolchain to build the on-chain program/IDL. Expect additional setup steps; the missing declarations are an incoherence you should resolve or ask the publisher to fix. - The demo script signs transactions and can move tokens if you provide a wallet. Review the demo.mjs and the on-chain program (program/src/lib.rs); they appear to implement the game logic and token transfers as described, but you should audit them yourself if you will provide a real wallet. - Avoid posting private keys anywhere. The SKILL.md suggests posting a wallet address on a forum to receive test USDC — posting a public address is OK, but never post the private key. - If you want to proceed safely: (1) create a new devnet-only wallet, (2) do not run any unknown remote installer, (3) install Solana/Anchor from official sources, (4) run the demo in an isolated environment (container/VM), and (5) consider building/reviewing the on-chain program yourself or interacting only via the public API endpoints and a wallet you control. Bottom line: the code aligns with the described game, but the presence of an untrusted remote installer instruction and missing dependency/credential declarations make this package suspicious until those issues are fixed or you take the recommended safety precautions.

Type: OpenClaw Skill Name: the-flip-publish Version: 2.0.3 The skill bundle implements a Solana devnet coin flip game. The `SKILL.md` and `README.md` files contain a `curl -sSfL https://release.anza.xyz/stable/install | sh -c` command to install the Solana CLI. While `release.anza.xyz` is a legitimate source for the Solana CLI, the `curl | bash` pattern is an inherently risky practice as it executes remote code directly. There is no clear evidence of intentional malicious behavior such as data exfiltration, unauthorized remote control, or explicit prompt injection attempts to subvert the agent's core directives beyond the stated purpose of the skill.