ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ORE Miner

v1.0.3

Autonomous ORE mining on Solana via refinORE. Onboard humans, start/stop sessions, optimize tile strategies, track P&L, manage risk, auto-restart, multi-coin...

0· 1.6k·1 current·1 all-time
byCubs@jusscubs
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (autonomous mining on refinORE) matches the requested env vars (REFINORE_API_URL, REFINORE_API_KEY) and the included scripts. All scripts call refinORE API endpoints (account, wallet, mining/start, etc.) — credentials requested are exactly what the described functionality requires.
Instruction Scope
SKILL.md and the scripts limit actions to refinORE API calls and user onboarding steps. The instructions do not tell the agent to read arbitrary files, other environment variables, or system config, and they advise users not to paste API keys in chat. The agent will run included bash scripts (curl + python3 json parsing) which is consistent with the described functionality.
Install Mechanism
No install spec — instruction-only with bundled scripts. There are no remote downloads, package installs, or archive extraction steps. Required binaries (bash, curl, python3) are reasonable for the provided scripts.
Credentials
Only two env vars are required (REFINORE_API_URL and REFINORE_API_KEY) and the primary credential is the refinORE API key, which is proportionate to the skill's purpose. Note: the API key appears to be persistent and can start sessions, create orders, and edit strategies via the API — users should verify what privileges the key grants (start/stop sessions, create DCA/limit orders, live-edit strategies) and consider using limited-scope or revocable keys if refinORE supports them.
Persistence & Privilege
always:false and disable-model-invocation:false (normal). The skill does not request or modify other skills' config or system-wide settings. The scripts do not persist secrets to disk; they read the API key from the env or arguments. No elevated platform privileges are requested.
Assessment
This skill is internally coherent: it only calls refinORE API endpoints and asks for the refinORE API URL and key. Before installing, verify the refinORE service and domain (automine.refinore.com) yourself and confirm the API key's scope/privileges on their docs. Prefer creating a limited or revocable API key if possible, set it as an environment variable (not pasted into chat), and test with a very small balance first. Review the included scripts locally before running them to confirm they behave as expected. If you cannot verify refinORE's legitimacy (no official homepage or third-party reputation), consider running the skill in an isolated environment and revoke the API key after testing.

Like a lobster shell, security has layers — review code before you run it.

OREvk975bk2158v69z10g50x57agx980hv9mautonomousvk975bk2158v69z10g50x57agx980hv9mclawdbotvk975bk2158v69z10g50x57agx980hv9mdefivk975bk2158v69z10g50x57agx980hv9mlatestvk9775n8xfad16ze4f73pkn1v9582pc4sminingvk975bk2158v69z10g50x57agx980hv9mopenclawvk975bk2158v69z10g50x57agx980hv9msolanavk975bk2158v69z10g50x57agx980hv9mstablevk975bk2158v69z10g50x57agx980hv9m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

⛏️ Clawdis
EnvREFINORE_API_URL, REFINORE_API_KEY
Primary envREFINORE_API_KEY

Comments