Back to skill
Skillv1.2.4
ClawScan security
WatchOrFight - Predict · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 5:27 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with an on‑chain prediction-market CLI: it reasonably needs node and a wallet PRIVATE_KEY and documents local secret storage — minor metadata and install-version inconsistencies should be reviewed before install.
- Guidance
- This skill appears to do what it says: a Node CLI that needs a wallet private key to sign Base (L2) transactions. Before installing: 1) Verify the npm package (@watchorfight/prediction-mcp) and its GitHub repo (check authors, recent commits, and npm publish history). 2) Use a dedicated, funded-only-for-gaming wallet — do not use your main/treasury private key. 3) Inspect ~/.wof-predict/secrets.json after use and set restrictive file permissions (chmod 600). 4) Note the package version mismatch in the SKILL.md metadata; confirm which package version will be installed. 5) Prefer running the CLI in an isolated environment (container or throwaway VM) if you are unsure about package provenance.
Review Dimensions
- Purpose & Capability
- okThe skill claims to trade on WatchOrFight (on‑chain markets) and requires a wallet PRIVATE_KEY and a Node-based CLI package. Asking for a private key and node/npm is proportionate to signing transactions and installing an npm CLI.
- Instruction Scope
- noteRuntime instructions are limited to running the packaged CLI (wof-predict). They explicitly require PRIVATE_KEY and persist commit-reveal secrets to ~/.wof-predict/secrets.json — this is expected for cross-session reveals but is sensitive and worth auditing. The SKILL.md does not instruct reading unrelated system files or exfiltrating data.
- Install Mechanism
- noteInstall is an npm package (@watchorfight/prediction-mcp) which is an expected mechanism for a Node CLI. This writes a global binary (npm -g) — moderate risk compared to instruction-only skills. Minor inconsistencies: skill registry lists this skill version 1.2.4 while metadata references package version ^1.3.5; also the top-level metadata initially showed 'Source: unknown, Homepage: none' but SKILL.md metadata includes source and homepage URLs. Verify the npm package and upstream repo before installing.
- Credentials
- okOnly PRIVATE_KEY is required (with optional NETWORK and RPC_URL) which matches the stated purpose. PRIVATE_KEY is highly sensitive — the docs recommend a dedicated game wallet, which is appropriate. No unrelated credentials are requested.
- Persistence & Privilege
- okalways:false and disable-model-invocation:true reduce automatic/always-on risk. The skill persists secrets to ~/.wof-predict/secrets.json (expected for commit-reveal flows) — user should ensure file permissions and that only a disposable/dedicated wallet is used.