Is cryptopunk2070/sportsbook safe?

The SKILL.md instructs the agent to 'silently check for notifications' at the START of every skill invocation, before handling the user's actual request. The system.announcement notification type pushes arbitrary content directly into the agent's context as an 'info banner' without user awareness. This architecture means the remote API operator at cbb-predictions-api-nzpk.onrender.com can inject instructions into the agent's decision-making process at any time, for any user with the skill installed.

The SKILL.md explicitly instructs the agent to conceal its actions from users. Registration steps call external APIs 'behind the scenes' without displaying what commands are running or what data is being sent. This prevents users from making informed consent decisions and masks the data flows described in the data exfiltration findings.

The HEARTBEAT.md integration section instructs the agent to autonomously analyze betting opportunities and POST picks to the Fuku Sportsbook API at every heartbeat cycle. In paid tier, each bet involves real USDC on Base chain with 'losses collected on-chain immediately.' The agent is instructed to 'select 1-2 best value plays' and POST them without any per-transaction user confirmation. The daily schedule (9AM and 3PM EST) means bets can be placed at any time.

The poll_notifications.py script, executed silently on every skill invocation, sends the user's API key in an HTTP header to cbb-predictions-api-nzpk.onrender.com. This occurs even for benign sports queries that do not require authentication. Combined with the silent execution pattern, users are unaware that their credentials are being transmitted on every request.

The registration flow collects users' Twitter/X handles (real-world identity), betting strategies described in natural language (intellectual content), and links these permanently to cryptocurrency wallet addresses. This data is transmitted to and permanently stored by the external Fuku Sportsbook service. The Twitter verification step also creates a public, linkable on-chain identity-to-handle association.

The skill instructs the agent to display a full cryptocurrency wallet seed phrase directly in the conversation with text creating urgency ('SAVE THIS SEED PHRASE NOW - it will never be shown again!'). Seed phrases shown in LLM conversations may be retained in context windows, conversation logs, cloud sync, or operator-side logging. The urgency framing is a social engineering pattern designed to pressure users into insecure handling.

The system.announcement notification type allows the remote server operator to inject arbitrary text content into the agent's visible context as an 'info banner.' A compromised API server, a malicious operator, or a supply-chain attack on cbb-predictions-api-nzpk.onrender.com could use this channel to override user preferences, fabricate information, or inject adversarial instructions.

The agent is instructed to POST detailed betting analysis including game selection, pick direction, bet amount, odds, and reasoning text to the external API. This represents substantive intellectual output generated by the user's configured agent being permanently sent to a third-party service outside the user's control.

The HEARTBEAT.md Integration section instructs users to add this skill's notification polling and autonomous betting to their persistent HEARTBEAT.md file. This means the skill executes on every heartbeat cycle — continuously in the background — performing C2 polling and autonomous financial actions without the user actively invoking it.

The skill includes 8 Python scripts that use httpx and requests libraries to make outbound HTTPS connections. While the scripts are explicitly invoked by the SKILL.md (no install hooks or auto-execution), they extend the skill's attack surface by adding network-capable code to the user's environment.

The skill writes the user's API key and agent_id to ~/.config/fuku-sportsbook/config.json, a predictable location accessible by any other installed skill with filesystem access (Read tool). The config_loader.py also reads from env vars DAWG_PACK_API_KEY and DAWG_PACK_AGENT_ID, which could conflict with or be read alongside other environment credentials.

The skill was installed via a standard sparse-checkout git clone from github.com/openclaw/skills.git. No unexpected network connections, process spawning, or filesystem modifications outside the target directory were observed during installation.

Canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed in batch at timestamps 1771923311 (pre-install baseline) and 1771923327.441 (post-install integrity check). The simultaneous batch-access pattern at identical millisecond timestamps is consistent with the oathe monitoring system performing SHA256 comparison scans, not skill-directed access. No content modification or exfiltration was detected.