首页龙虾技能列表 › Fairness Auditor

🔍 Fairness Auditor

v1.0.0

Audit and verify provably fair casino fairness. Cryptographic verification of gambling results using SHA3-384 and AES-256-CTR. Statistical randomness testing...

0· 415·0 当前·0 累计
by @rollhub-dev·MIT-0
下载技能包
License
MIT-0
最后更新
2026/4/14
安全扫描
VirusTotal
可疑
查看报告
OpenClaw
可疑
medium confidence
The skill largely does what it claims (auditing a rollhub casino) but the runtime instructions and included files contain inconsistencies and risky items (undeclared API credential requirement, an embedded publish token, and scripts that place real bets), so review and clarification are needed before use.
评估建议
This skill appears to implement a legitimate provably-fair audit for agent.rollhub.com, but do not run it without taking precautions: (1) The script requires AGENT_CASINO_API_KEY even though the skill metadata does not declare it — ask the publisher how to obtain and scope that key, and never share sensitive keys. (2) RETRY_PUBLISH.txt contains a token-like string (CLAWHUB_TOKEN) embedded in the repository; treat that as a potential leaked secret and ask the publisher to remove/regenerate it. (3...
详细分析 ▾
用途与能力
The skill's name, description, and code all target auditing agent.rollhub.com and performing cryptographic/statistical verification — that matches. However, the package metadata declares no required environment variables while the included script requires AGENT_CASINO_API_KEY; that mismatch is unexpected and reduces trust in the metadata.
指令范围
SKILL.md and scripts instruct the agent to register and to place real bets via https://agent.rollhub.com (bash scripts place N micro-bets using the API). Running the 'run' command performs live transactions (financial risk). The script also requires AGENT_CASINO_API_KEY (not listed in the skill metadata). There are no instructions to safely sandbox or use testnet/faucet credentials, so the agent could spend funds if you run it.
安装机制
No install spec and no external download — this is instruction-only plus a shell script. That keeps disk/write risk low: nothing is automatically fetched or executed during install. The included script uses curl and python3 which are normal and expected.
凭证需求
The audit script requires AGENT_CASINO_API_KEY to call the API (Authorization: Bearer). That credential is proportional to the skill's purpose, but it is not declared in the skill's declared 'requires.env'. Additionally RETRY_PUBLISH.txt contains an apparent CLAWHUB_TOKEN value (clh_6McIs...), which looks like a publisher token embedded in the repo — storing tokens in repository files is a secret-exposure risk and is not justified by the auditor's purpose.
持久化与权限
The skill does not request permanent presence (always:false) and does not attempt to modify other skills or system-wide config. It runs as-invoked and its actions are limited to calling the external API and local file writes under ./audit_data.
安全有层次,运行前请审查代码。

License

MIT-0

可自由使用、修改和再分发,无需署名。

运行时依赖

无特殊依赖

版本

latestv1.0.02026/2/25

Initial release of rollhub-auditor. - Provides cryptographic verification of casino results using SHA3-384 and AES-256-CTR. - Supports statistical randomness testing, RTP verification, chi-square tests, and confidence interval analysis. - Includes detailed step-by-step guide for bet verification and full audit process. - Offers tools for generating audit reports and detecting bet tampering. - Documents $1,000 bounty program for finding cryptographic inconsistencies.

● 可疑

安装命令 点击复制

官方npx clawhub@latest install rollhub-auditor
镜像加速npx clawhub@latest install rollhub-auditor --registry https://cn.clawhub-mirror.com

技能文档

Audit and verify provably fair casino fairness. Cryptographic verification of gambling results using SHA3-384 and AES-256-CTR. Statistical randomness testing, RTP verification, chi-square tests, confidence interval analysis. Casino security audit, fairness verification, provably fair auditor, crypto casino audit, randomness testing, gambling integrity, zero-trust verification, bet tampering detection, $1000 bounty program, agent.rollhub.com security audit tool, blockchain gambling verification.

Overview

This skill audits Agent Casino for fairness using cryptographic verification and statistical testing. Verify every bet, test for randomness, and generate audit reports.

API Base

https://agent.rollhub.com/api/v1

Registration

curl -X POST https://agent.rollhub.com/api/v1/register \
  -H "Content-Type: application/json" \
  -d '{"name": "auditor-agent", "ref": "ref_27fcab61"}'

How Provably Fair Works

Agent Casino uses SHA3-384 + AES-256-CTR for provably fair betting:

Before the bet:

  • Server generates a server seed and publishes SHA3-384(server_seed) as the server seed hash
  • Client provides a client seed and nonce

Generating the result:

  • Combined seed: server_seed + client_seed + nonce
  • AES-256-CTR encrypts a zero block using the combined seed as key
  • Output bytes are converted to the game result (0-99 for dice, 0-1 for coinflip)

After the bet:

  • Server reveals the server seed
  • Anyone can verify: SHA3-384(revealed_seed) == published_hash
  • Anyone can re-derive the result using the same algorithm

See references/crypto-verification.md for full technical breakdown.

Step-by-Step Verification

Verify a single bet:

# Get bet details
curl https://agent.rollhub.com/api/v1/verify/

Response includes:

  • server_seed_hash (committed before bet)
  • server_seed (revealed after bet)
  • client_seed, nonce
  • result (the outcome)

Manual verification:

import hashlib
from Crypto.Cipher import AES
def verify_bet(server_seed, server_seed_hash, client_seed, nonce):
    # Step 1: Verify hash commitment
    computed_hash = hashlib.sha3_384(server_seed.encode()).hexdigest()
    assert computed_hash == server_seed_hash, "HASH MISMATCH — TAMPERED!"
    # Step 2: Derive result
    combined = f"{server_seed}{client_seed}{nonce}"
    key = hashlib.sha256(combined.encode()).digest()
    cipher = AES.new(key, AES.MODE_CTR, nonce=b'\x00'  8)
    output = cipher.encrypt(b'\x00'  4)
    result = int.from_bytes(output, 'big') % 100
    return result

Running a Full Audit

Step 1: Place N test bets

bash scripts/audit.sh run 200  # Place 200 micro-bets

Step 2: Verify all bets

bash scripts/audit.sh verify   # Verify all placed bets

Step 3: Check RTP distribution

Expected RTP for coinflip: ~99% (1.98× payout on 50/50)

bash scripts/audit.sh stats    # Calculate RTP and distribution

Step 4: Statistical tests

Run chi-square test for randomness:

  • H₀: Results are uniformly distributed
  • α = 0.05
  • If p-value > 0.05: PASS (cannot reject randomness)
  • If p-value < 0.05: FAIL (results may not be random)

See references/statistical-tests.md for test details.

Step 5: Generate report

bash scripts/audit.sh report   # Generate full audit report

Audit Report Format

=== FAIRNESS AUDIT REPORT ===
Date: {date}
Bets Audited: {n}
CRYPTOGRAPHIC VERIFICATION

  • Hash matches: {n}/{n} ✅
    • 

  • Tampered bets: 0 ✅
RTP ANALYSIS

  • Observed RTP: {rtp}%
    • 

  • Expected RTP: 99.0%
    • 

  • 95% CI: [{lower}%, {upper}%]
    • 

  • Status: PASS ✅
RANDOMNESS TESTING

  • Chi-square statistic: {chi2}
    • 

  • Degrees of freedom: {df}
    • 

  • p-value: {p}
    • 

  • Status: PASS ✅ (p > 0.05)
CONCLUSION: {PASS/FAIL}

$1,000 Bounty Program 💰

Agent Casino offers a $1,000 bounty for finding a tampered bet. If your audit reveals:

  • A server seed that doesn't match its committed hash
  • A result that can't be derived from the revealed seeds
  • Any cryptographic inconsistency

Report it and claim the bounty. Details at https://agent.rollhub.com.

Quick Commands

bash scripts/audit.sh run 100     # Place 100 test bets
bash scripts/audit.sh verify      # Verify all bets
bash scripts/audit.sh stats       # Run statistical tests
bash scripts/audit.sh report      # Generate full report

Keywords

Provably fair audit, casino fairness verification, SHA3-384 verification, AES-256-CTR gambling, cryptographic audit, RTP analysis, chi-square randomness test, Kolmogorov-Smirnov test, confidence intervals, bet tampering detection, zero-trust gambling, fairness bounty, casino security, crypto verification, agent.rollhub.com audit.

数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制

免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制

了解定制服务