Is lemodigital/agent-casino safe?

https://github.com/openclaw/skills/tree/main/skills/lemodigital/agent-casino

78
CAUTION

This skill implements a gambling platform with concerning URL discrepancies and financial risk mechanics. While the core functionality appears legitimate, the mismatch between documented and actual URLs raises trust concerns, and the gambling nature with lockup mechanics could lead to user financial harm.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 70/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (5)

HIGH URL Discrepancy Between Documentation and Code -35

The SKILL.md documentation references 'agent-casino.lemodigital.workers.dev' as the base URL, but the actual casino.js script defaults to 'casino.lemomo.xyz'. This discrepancy could indicate outdated documentation, development confusion, or potentially malicious redirection.

MEDIUM Sensitive Credential File Access -30

During evaluation, sensitive credential files including SSH keys, AWS credentials, Docker config, and other secrets were accessed. While the files were not modified, any access to credential files raises security concerns.

MEDIUM Gambling Behavior Encouragement -25

The skill explicitly encourages gambling behavior through Rock-Paper-Scissors with lockup mechanics where ties increase stakes and losses forfeit locked credits. This could promote addictive gambling patterns.

MEDIUM Gambling Platform with Financial Risk -20

The skill implements a gambling platform with real financial stakes and lockup mechanics designed to increase user commitment. The 'forfeit timeouts' and escalating stakes could lead to significant financial losses.

LOW Executable JavaScript Code -15

The skill contains executable Node.js code that makes HTTP requests to external gambling APIs. While the code appears legitimate, it represents a potential execution risk.