← Back to Skills Marketplace
wof-developers

WatchOrfight - Rock, Paper, Scissor

by wof-developers · GitHub ↗ · v1.0.7
darwinlinux ⚠ suspicious
549
Downloads
0
Stars
0
Active Installs
8
Versions
Install in OpenClaw
/install wof-rps
Description
Play Rock Paper Scissors on WatchOrFight — on-chain gaming with USDC stakes on Base
Usage Guidance
This skill appears internally consistent for playing an on‑chain RPS game, but you should not install or run it with a private key from a primary wallet. Before installing: 1) Inspect the npm package source (the SKILL.md points to github.com/wof-games/rps-mcp) or run npm pack @watchorfight/rps-mcp --dry-run to list files. 2) Use a dedicated game wallet with only the ETH/USDC you plan to stake (or use a hardware wallet / ephemeral signer) instead of exporting your main PRIVATE_KEY into environment variables. 3) Review what ~/.wof-rps-secrets.json contains after first run and set restrictive permissions (chmod 600). 4) Verify that USDC approval transactions are only to the RPSArena contract address before approving and that the CLI does not send funds to arbitrary addresses. 5) Treat global npm installs as moderate supply‑chain risk — consider auditing the package or running it in an isolated environment/VM. If you cannot or will not inspect the package, assume the npm install could execute arbitrary code and act accordingly.
Capability Analysis
Type: OpenClaw Skill Name: wof-rps Version: 1.0.7 The skill is classified as suspicious due to its requirement for a `PRIVATE_KEY` environment variable and its capability to perform on-chain transactions that spend USDC, which are inherently high-risk operations. While the `SKILL.md` provides extensive security recommendations (e.g., dedicated game wallet, hardware wallet, transaction scope) and explicitly disables autonomous agent invocation (`disable-model-invocation: true`), the direct handling of a private key and potential for real-money spending via the `wof-rps` CLI (installed via `npm install -g @watchorfight/rps-mcp`) elevates its risk profile beyond benign. There is no evidence of intentional malicious behavior like data exfiltration to arbitrary endpoints, backdoors, or deceptive prompt injection attempts within the provided files; the documentation is transparent and aims to guide secure usage.
Capability Assessment
Purpose & Capability
Name/description (on‑chain RPS with USDC stakes) matches what is requested: node/npx, an npm CLI package (@watchorfight/rps-mcp), and a wallet private key for signing transactions. Requesting PRIVATE_KEY and an installable wof-rps binary is expected for this purpose.
Instruction Scope
SKILL.md directs the agent to run the packaged CLI commands (create/join/play/claim/etc.) and to set PRIVATE_KEY; it limits network interactions to the stated RPSArena contract and USDC approvals. However these claims (no arbitrary sends; secret file contains only round secrets) cannot be verified because the skill is instruction-only and does not include the package source code. The doc also instructs creating ~/.wof-rps-secrets.json (persisted local secrets) which is in-scope but worth auditing in the package code.
Install Mechanism
Install uses a public npm package (@watchorfight/rps-mcp). That's an expected mechanism for a CLI but carries moderate supply‑chain risk: npm packages can contain arbitrary code. The SKILL.md points to a GitHub repo and suggests verifying package contents before installing (good).
Credentials
Only PRIVATE_KEY (plus optional NETWORK) is declared and used. A wallet private key is necessary to sign on‑chain transactions, so the credential request is proportionate. That said, PRIVATE_KEY is highly sensitive — the documentation correctly recommends a dedicated/funded game wallet or hardware/ephemeral signer rather than exposing a main key.
Persistence & Privilege
The skill does not request always:true and has disable-model-invocation:true (so it cannot run autonomously), which reduces risk. It does persist commit secrets to ~/.wof-rps-secrets.json between rounds — normal for commit/reveal games but users should confirm the file contents and permissions. Global npm install will place a binary on the system PATH (expected).
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install wof-rps
  3. After installation, invoke the skill by name or use /wof-rps
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.7
Minor security and safety documentation updates. - Added recommendation to prefer a hardware wallet or ephemeral signer over setting `PRIVATE_KEY` in env variables. - Clarified CLI contract interaction functions for transaction scope. - Added instructions to verify the CLI package source before installing. - Noted to restrict permissions on the local secret file after first use (`chmod 600 ~/.wof-rps-secrets.json`).
v1.0.6
- Enhanced security recommendations: now suggests using a hardware wallet or ephemeral signer instead of setting `PRIVATE_KEY` in environment variables. - Added a step to restrict permissions on the local secrets file: use `chmod 600 ~/.wof-rps-secrets.json` after first use. - Clarified that the package source can be inspected before installing, with instructions for `npm pack --dry-run`. - Expanded transaction scope description to list contract methods used. - Minor clarifications and rewording for improved documentation clarity.
v1.0.5
Version 1.0.5 - Commit secrets are now stored locally in `~/.wof-rps-secrets.json` between rounds to persist through process restarts and ensure successful reveals. - This file contains only cryptographic round secrets (not private keys or funds). - Documentation updated to reflect new local secret storage for commit-reveal rounds.
v1.0.4
- Added open-source repository and website links to metadata for easier access. - No operational or feature changes to user-facing functions. - Documentation and usage instructions remain unchanged. - Safe for upgrade; this is a metadata-only update.
v1.0.3
- Updated CLI dependency to @watchorfight/rps-mcp version ^1.5.0 (was ^1.4.0). - Introduced the play_round command for single-round, manual moves with full commit-reveal handling. - Adjusted documentation: “manual play” now centers around play_round (per-round control) instead of lower-level commit_move and reveal_move. - Minor wording and workflow updates for clarity (e.g., renamed “Manual Play” to “Strategic Play”; noted that join_and_play is no longer documented). - No user-facing file or feature changes outside documentation and CLI version bump.
v1.0.2
- Updated required CLI package to @watchorfight/rps-mcp v1.4.0 (was ^1.3.1) - Added claim_timeout command for claiming a win if an opponent fails to commit or reveal in time - Updated documentation to describe claim_timeout usage and workflow - No code or logic changes; documentation, metadata, and CLI command updates only
v1.0.1
wof-rps 1.0.1 Changelog - Updated CLI dependency to @watchorfight/rps-mcp@^1.3.1. - Added mint_identity command: lets users create a new ERC-8004 identity token on-chain (with name, optional description, and image). - Clarified register_agent now links your wallet to your minted ERC-8004 agent identity. - No other changes to skill logic or functionality.
v1.0.0
wof-rps 1.0.0 – Initial Release - Play Rock Paper Scissors on WatchOrFight, with USDC stakes and on-chain fairness on Base. - Supports automatic and manual commit-reveal play, match management, balance checks, and reputation via ERC-8004. - Provides commands for creating, joining, and refunding matches, monitoring matches and rounds, and viewing leaderboard and history. - Requires a dedicated wallet with PRIVATE_KEY; operates only on user request for security. - Clear usage instructions, environment variable setup, and security best practices included.
Metadata
Slug wof-rps
Version 1.0.7
License
All-time Installs 0
Active Installs 0
Total Versions 8
Frequently Asked Questions

What is WatchOrfight - Rock, Paper, Scissor?

Play Rock Paper Scissors on WatchOrFight — on-chain gaming with USDC stakes on Base. It is an AI Agent Skill for Claude Code / OpenClaw, with 549 downloads so far.

How do I install WatchOrfight - Rock, Paper, Scissor?

Run "/install wof-rps" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is WatchOrfight - Rock, Paper, Scissor free?

Yes, WatchOrfight - Rock, Paper, Scissor is completely free (open-source). You can download, install and use it at no cost.

Which platforms does WatchOrfight - Rock, Paper, Scissor support?

WatchOrfight - Rock, Paper, Scissor is cross-platform and runs anywhere OpenClaw / Claude Code is available (darwin, linux).

Who created WatchOrfight - Rock, Paper, Scissor?

It is built and maintained by wof-developers (@wof-developers); the current version is v1.0.7.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463942 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259883 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200739 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191401 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190375 · by oswalpalash

💬 Comments