WatchOrFight - Predict
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is clearly meant for crypto prediction-market trading, but it requires a raw wallet private key and installs an unreviewed npm CLI that can spend USDC, so it needs careful review before use.
Install only if you understand that this is real crypto trading. Use a fresh, low-funded wallet, verify the npm package and contract details, avoid main-wallet private keys, and protect the local secrets file used for market reveals.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the installed CLI, environment, or wallet key is misused or compromised, funds in that wallet could be spent or approvals could be made on-chain.
The skill requires a raw blockchain private key, which can sign transactions for the entire wallet holding ETH and USDC, not just a narrowly scoped API token.
| `PRIVATE_KEY` | Yes | Wallet private key (needs ETH for gas + USDC for stakes) |
Use only a fresh dedicated wallet with the minimum ETH and USDC you are willing to risk; do not provide a main wallet private key.
A package update or compromised dependency could affect code that has access to the wallet private key and can submit transactions.
The runtime behavior comes from an external npm package with a version range; the supplied artifacts include only SKILL.md, so the package code that handles keys and transactions was not available for static review.
"package":"@watchorfight/prediction-mcp","version":"^1.3.5","bins":["wof-predict"]
Verify the npm package and source repository, prefer a pinned audited version, and avoid installing it in an environment containing valuable wallet keys.
Running these commands can spend gas, stake USDC, reveal positions, resolve markets, and claim funds; on-chain effects may not be reversible.
The advance command is purpose-aligned, but one user-invoked command can automatically perform multiple on-chain lifecycle actions for a market.
Repeat `advance` until it returns `"done": true`. It handles reveal, close, resolve, and claim automatically.
Review the market ID, amount, network, and wallet balance before each transaction-oriented command, especially on mainnet.
If this file is deleted, modified, or exposed, positions may fail to reveal correctly or private strategy data may leak.
The skill stores market-related secret data locally for later reveals; this is disclosed and purpose-aligned but sensitive for active positions.
Secrets (commit-reveal data) are persisted to `~/.wof-predict/secrets.json` so you can reveal positions across sessions.
Protect the ~/.wof-predict directory, avoid sharing it, and back it up only in a secure location if active markets depend on it.