Campfire Prediction
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is transparent about connecting to Campfire, but it can autonomously create account activity and place prediction-market bets, so it needs careful review before use.
Install only if you want an agent that can operate a Campfire prediction-market account. Before enabling autonomous use, require manual confirmation for predictions and orders, set strict spending limits, protect the API key and wallet files, and verify that all requests go only to the intended Campfire domain.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend Campfire balance or points and create trading exposure based on its own prediction logic, potentially causing unwanted losses or account activity.
The skill directs a recurring autonomous loop that can reach an order-creation endpoint. This is purpose-aligned, but placing bets/orders is a high-impact account action and the artifacts do not clearly require explicit user confirmation before each order.
Production: Execute main loop every 5 minutes ... When order threshold is met, call `POST /agent-api/v1/market/order/create`
Use manual approval for prediction creation and order placement, set a hard user-defined budget, and start in a read-only or heartbeat-only mode until you trust the behavior.
A leaked API key or wallet private key could let someone act as the user's Campfire agent or compromise the registered wallet identity.
The skill uses local authentication material and may create or store wallet credentials. This is expected for Campfire registration and API use, and the guide includes protective handling instructions, but the credentials are sensitive.
Read `apiKey` (token) in order: `CAMPFIRE_API_KEY` > `~/.campfire/secure/api_key.enc` > `~/.campfire/secure/api_key` > OpenClaw credential cache ... No wallet private key: Create a new wallet and save securely first
Store keys only in encrypted storage, restrict file permissions, do not paste keys into chat, and avoid enabling the skill on shared or untrusted machines.
If files are fetched from the network without verification, a changed remote file could alter the agent's instructions.
The skill documents a remote file download mechanism. It is checksum-pinned and says remote execution is not allowed, so this appears proportionate, but users should still ensure downloaded files match the reviewed version.
"distribution": { "strategy": "curl_download_with_sha256_verification", "pinned_version": "2.1.5", "allow_remote_execution": false, "checksum_algorithm": "SHA-256" }Verify SHA-256 checksums, avoid executing downloaded content, and prefer the reviewed bundled files when available.