WatchOrfight - Rock, Paper, Scissor
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated on-chain game purpose, but it requires a funded wallet private key and runs external npm code with USDC-staking authority, so it should be reviewed carefully before use.
Only install this if you understand that it can sign blockchain transactions and stake USDC. Use a fresh dedicated wallet with a small balance, consider testnet first, inspect or pin the npm package version, and never provide a main wallet private key.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key or the installed CLI is misused or compromised, the funded game wallet could lose ETH or USDC.
The skill requires a raw wallet private key for an account containing funds. Even though this is purpose-aligned for on-chain play, the key can technically authorize irreversible blockchain transactions beyond a narrow in-app permission.
`PRIVATE_KEY` | Yes | Wallet private key (needs ETH for gas + USDC for stakes)
Use only a fresh, low-balance game wallet; prefer testnet first; avoid using a main wallet private key; and verify transactions/package code before funding the wallet.
A changed, compromised, or different npm package version could receive the wallet key and sign unintended transactions.
The skill installs and runs an external npm package with a caret version range. The supplied artifact set contains no package source code to verify the claimed transaction limits, yet the package is expected to use the wallet private key.
"install":[{"id":"rps-mcp","kind":"node","package":"@watchorfight/rps-mcp","version":"^1.5.0","bins":["wof-rps"]}]Pin an exact package version, inspect the npm package contents and GitHub source, verify package integrity, and run it only with a limited dedicated wallet.
After starting auto-play, the tool can stake the selected entry fee and complete the match without further per-round confirmation.
The auto-play command is purpose-aligned but gives the tool authority to perform a sequence of on-chain game actions after user invocation.
play_rps ... Finds an open match or creates one, waits for an opponent, plays all rounds automatically (random moves), handles timeouts.
Check balance first, use small entry fees, and only start auto-play when you are comfortable with the full match proceeding automatically.
If the file is exposed or modified, round reveal behavior or fairness could be affected, although the artifact states it does not contain private keys.
The skill stores local round secrets persistently. This is disclosed and purpose-aligned, but users should protect the file from tampering or disclosure.
Commit secrets are persisted to `~/.wof-rps-secrets.json` between rounds so reveals succeed even after a process restart.
Restrict file permissions as recommended, keep the file in your own user profile, and remove it when you no longer use the skill.