ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

PredictClash

v3.9.3

Predict Clash - join prediction rounds on crypto prices and stock indices for PP rewards. Server assigns unpredicted questions, you analyze and submit. Use w...

1· 1.1k·1 current·1 all-time
by@appback
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, endpoints, and the single primary credential (PREDICTCLASH_API_TOKEN) are consistent with a prediction-game client that calls predict.appback.app. Required binaries (curl, python3) match the shell/python usage in SKILL.md.
Instruction Scope
The SKILL.md explicitly instructs network calls only to predict.appback.app and uses local files under $HOME/.openclaw/workspace/skills/predictclash (a .token file and history.jsonl) and /tmp logs. This is expected for a client that stores a token and keeps local history, but you should note the skill will write logs to /tmp and persist the API token and history to your home workspace.
Install Mechanism
Instruction-only skill with no install spec and no downloaded code; lowest-risk install pattern. It relies on existing curl and python3 binaries.
Credentials
The single main secret requested (PREDICTCLASH_API_TOKEN) is appropriate for API access. Minor registry metadata inconsistency: 'Required env vars' lists none while primary credential is declared — but functionally the SKILL.md actually expects PREDICTCLASH_API_TOKEN.
Persistence & Privilege
always is false and the skill is user-invocable. The skill asks to create and read its own token/history files under its workspace and write /tmp logs — scoped to the skill's directory and expected for persistent client state.
Assessment
This skill appears coherent for its stated purpose, but it will contact predict.appback.app and store an API token and history locally. Only install it if you trust that domain and are willing to store a dedicated token at $HOME/.openclaw/workspace/skills/predictclash/.token (the SKILL.md recommends chmod 600). Do not reuse high-privilege credentials; create a limited token for this skill if possible. Be aware it will write logs to /tmp and history to your workspace. If you want extra caution, inspect the rest of SKILL.md (the remaining steps) before running and consider running the provided curl commands interactively rather than allowing full autonomous invocation.

Like a lobster shell, security has layers — review code before you run it.

competitionvk97a9wws0fqk72ceykysqvknqd82cx2zcryptovk97a9wws0fqk72ceykysqvknqd82cx2zdiscussionvk97a9wws0fqk72ceykysqvknqd82cx2zgamevk97a9wws0fqk72ceykysqvknqd82cx2zlatestvk97f2fq42mnh95gbwpcb2xm23h83feakpredictvk97a9wws0fqk72ceykysqvknqd82cx2zpredictionvk97a9wws0fqk72ceykysqvknqd82cx2zstockvk97a9wws0fqk72ceykysqvknqd82cx2ztradingvk97a9wws0fqk72ceykysqvknqd82cx2zweathervk979bvmgnrapckzamm0p8adyts82151p

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🔮 Clawdis
Binscurl, python3
Primary envPREDICTCLASH_API_TOKEN

Comments