ClawHub

Predict.fun MCP

v0.5.2

Access Predict.fun prediction market data on BNB Chain — platform stats, market analysis, trader profiling, yield mechanics, and behavioral meta-tools via Th...

0· 203·0 current·0 all-time
by@paulieb14
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (node), and required env var (GRAPH_API_KEY) all align with a Node-based MCP server that queries The Graph Gateway for Predict.fun subgraphs. The hard-coded subgraph IDs and Graph gateway endpoints fit the described functionality.
Instruction Scope
SKILL.md and the shipped code instruct the agent to perform GraphQL queries against gateway.thegraph.com using the provided API key, start an optional local HTTP/SSE server, and return structured results. The instructions do not read arbitrary local files, request other environment variables, or send data to unexpected external endpoints.
Install Mechanism
No high-risk download URLs are used; the documented install/run method is 'npx predictfun-mcp' (standard npm usage). The package.json dependencies (@modelcontextprotocol/sdk, express) are consistent with an MCP server. There is no custom installer or obscure remote fetch in the code provided.
Credentials
Only GRAPH_API_KEY is required and is directly used to authenticate requests to The Graph Gateway. No unrelated secrets, system credentials, or config paths are requested.
Persistence & Privilege
The skill does not request 'always: true' or other elevated persistent privileges. It runs as a user process and optionally opens a local HTTP/SSE port (default 3850); this is expected for an MCP server but should be considered when exposing to networks.
Assessment
This package appears to do what it says: query three Predict.fun subgraphs through The Graph Gateway and optionally run a local MCP (SSE/HTTP) server. Before installing: (1) only provide a The Graph API key (GRAPH_API_KEY); use a limited or monitoring-enabled key if possible because queries are billed to it; (2) running with --http or --http-only opens a local port (default 3850) — avoid exposing that port to untrusted networks or firewall it; (3) npx will fetch the package from the npm registry — verify the package and maintainer on npm/GitHub (the repo URL is in package.json) and confirm version consistency if that matters; (4) if you need stricter assurance, review the published npm package contents and the dist/index.js source included here (no obfuscated or exfiltrating code was found).
dist/index.js:9
Environment variable access combined with network send.
src/index.ts:12
Environment variable access combined with network send.
Confirmed safe by external scanners
Static analysis detected API credential-access patterns, but both VirusTotal and OpenClaw confirmed this skill is safe. These patterns are common in legitimate API integration skills.

Like a lobster shell, security has layers — review code before you run it.

latestvk9727hy26n9h897dnj61e9bbz582v5m0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvGRAPH_API_KEY
Primary envGRAPH_API_KEY

Comments