Back to skill
Skillv1.2.4
VirusTotal security
WatchOrFight - Predict · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:16 AM
- Hash
- a29da6b34ff98cf40b6666d488cbcbc8ef7f418ce3d80874bb59822781f30253
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wof-predict Version: 1.2.4 The skill requires the user to provide a `PRIVATE_KEY` environment variable, which is a highly sensitive credential, and instructs the agent to install a global npm package (`@watchorfight/prediction-mcp`) via `npm install -g` in SKILL.md. While the skill provides security advice (use a dedicated game wallet) and the actions align with its stated purpose of interacting with blockchain prediction markets, these capabilities introduce significant supply chain risk and sensitive credential handling, classifying it as suspicious rather than benign. There is no evidence of direct malicious intent like data exfiltration or backdoor installation within the provided files, and `disable-model-invocation: true` mitigates prompt injection risks.
- External report
- View on VirusTotal