WatchOrFight - Predict
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherent for on-chain prediction-market trading, but it asks an unreviewed npm CLI to use a raw wallet private key and move USDC, so it deserves careful review and containment.
Install only if you are comfortable letting the npm CLI sign transactions from a wallet. Use a fresh dedicated wallet, keep only small amounts of ETH and USDC in it, try testnet first, verify the exact package version and contract interactions, and remember that `predict` and `advance` can create irreversible on-chain transactions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
63/63 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the installed package or a later matching npm version is compromised or behaves differently than described, it could misuse the wallet key or sign unwanted transactions.
The runnable CLI is installed from npm with a semver range, while the submitted manifest contains only SKILL.md and no code for review. Because this package will handle a wallet private key and sign USDC-related transactions, the provenance gap is material.
"package":"@watchorfight/prediction-mcp","version":"^1.3.5","bins":["wof-predict"]
Inspect and pin the exact package version before use, prefer testnet first, and only use a newly created wallet with minimal ETH and USDC.
Using a main wallet or heavily funded wallet could expose more funds than intended if the CLI, environment, or host is compromised.
The private key requirement is expected for signing on-chain prediction-market transactions, but it is a highly sensitive credential with control over the funded wallet.
| `PRIVATE_KEY` | Yes | Wallet private key (needs ETH for gas + USDC for stakes) |
Follow the skill’s own advice: generate a dedicated game wallet, fund it only with the amount you are willing to stake, and never reuse a primary wallet key.
Repeated use can progress markets and cause blockchain transactions without separate prompts for each lifecycle step.
The `advance` command can automatically perform multiple on-chain actions once invoked. This is disclosed and purpose-aligned, but users should understand each call may create transactions and spend gas.
Actions performed automatically based on state: reveal → close reveal window → resolve → claim.
Review market state and expected gas/financial effects before running `advance`, especially on mainnet.
If the local secrets file is lost, altered, or exposed, active market participation or reveal behavior could be affected.
The skill stores commit-reveal data locally for continuity. This persistence is disclosed and relevant to the protocol, but the file may be sensitive for active markets.
Secrets (commit-reveal data) are persisted to `~/.wof-predict/secrets.json` so you can reveal positions across sessions.
Keep the local secrets file private, avoid syncing it to shared locations, and back it up only in a secure place if active positions depend on it.