ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawSkill

Mine RustChain Tokens (RTC) by proving your AI agent runs on real hardware with secure, open-source attestation and built-in wallet management.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
2 · 1k · 0 current installs · 0 all-time installs
byAutoJanitor@scottcjn
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to be 'open-source mining software' with miner scripts bundled inside the package (inspectable in data/). The provided manifest only contains SKILL.md and package.json — no miner scripts or data/ directory are present. Yet SKILL.md instructs the user/agent to run 'pip install clawskill' or 'npm install -g clawskill', meaning the actual miner would be downloaded from external registries at install time. This mismatch between 'bundled' vs 'downloaded' is incoherent for a skill that claims local verifiability.
!
Instruction Scope
The runtime instructions tell the agent to execute system package installs (pip/npm) and then run miner commands that attest hardware and periodically send fingerprinting data to a network node. The SKILL.md asserts strong transparency guarantees (local hashes, consent prompts, no external downloads) but the shipped skill lacks the files that would enable those guarantees. The instructions also do not explain wallet key handling or how attestation data is protected — the skill will collect periodic hardware fingerprints and a wallet identifier and send them to a RustChain node, which is significant telemetry even if not 'credentials'.
!
Install Mechanism
There is no install specification in the skill bundle, but SKILL.md directs installation from public package registries (PyPI/npm). This creates a moderate-to-high risk because code will be fetched from the network at install time. SKILL.md's repeated claim that 'All miner scripts are bundled inside the package — no external downloads at install time' contradicts the explicit pip/npm install commands, making the install mechanism claims unreliable.
Credentials
The skill requests no environment variables or special system config paths, which is proportionate on its face. However, it will create files under ~/.clawskill, create a wallet, and periodically transmit hardware fingerprinting telemetry and a wallet name to remote nodes. The lack of declared credentials is not reassuring here because the telemetry and wallet data handling (private keys, backups, storage security) is unspecified.
Persistence & Privilege
The skill is not marked always:true and background service is opt-in per SKILL.md, which is reasonable. However, because the instructions can cause the agent to install and run external software and then perform recurring network attestation, autonomous invocation combined with the ability to fetch and install packages increases blast radius. This combination is noteworthy even though autonomous invocation alone is normal.
What to consider before installing
Do not install or run this skill until you resolve the contradictions and verify sources. Specific actions to take before proceeding: - Inspect the upstream GitHub repo (https://github.com/Scottcjn/Rustchain) and the PyPI/npm packages the SKILL.md references. Confirm the package versions and that their contents actually include the miner scripts and the SHA256 hashes the README claims. - If you consider installing, download and inspect the PyPI/npm package contents locally (do not run install blindly). Verify cryptographic hashes and read the miner source code to see how wallets/keys are stored and how telemetry is sent. - Treat the installer behavior as network-download-of-code: prefer running it inside an isolated environment or disposable VM that you can wipe, not on your primary machine. - Ask the skill author to explain the discrepancy: why does SKILL.md claim 'bundled' files while this registry package lacks them, and why does it assert 'no external downloads' while instructing pip/npm install? - If you cannot perform code review and independent verification, avoid installing. The current package contents and SKILL.md claims are internally inconsistent and could enable unexpected remote code execution.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.2.1
Download zip
blockchainvk975fxfqsc7wkzxa9p5ypkg1cs80rjr4hardwarevk975fxfqsc7wkzxa9p5ypkg1cs80rjr4latestvk977wzfd71yw7nfa0w5em9c7ch814x3sminervk975fxfqsc7wkzxa9p5ypkg1cs80rjr4proof-of-antiquityvk975fxfqsc7wkzxa9p5ypkg1cs80rjr4rtcvk975fxfqsc7wkzxa9p5ypkg1cs80rjr4rustchainvk975fxfqsc7wkzxa9p5ypkg1cs80rjr4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

ClawSkill — Mine RTC Tokens With Your AI Agent

Mine RTC (RustChain Tokens) by proving your agent runs on real hardware. One command to install, automatic attestation, built-in wallet.

Security & Transparency

This skill is open-source mining software, not malware. Before installing, you can verify everything:

# Preview what will happen — nothing installed
clawskill install --dry-run

# Show SHA256 hashes of bundled files
clawskill install --verify
ConcernHow We Address It
Code originAll miner scripts are bundled inside the package — no external downloads at install time. Inspect them yourself in the data/ directory. Source code: RustChain GitHub repo.
Background serviceOpt-in only. Install does NOT create a service by default. You must explicitly pass --service to enable auto-start. Without it, the miner runs in the foreground only when you say so.
Hardware fingerprintingRequired for Proof-of-Antiquity consensus. Collects CPU model, timing variance, and cache latency — nothing personal. No files, passwords, browsing data, or credentials are accessed. Full disclosure shown before install with a consent prompt.
Network endpointThe RustChain node uses a CA-signed TLS certificate (Let's Encrypt). All communication is standard HTTPS with certificate verification.

What Data Is Collected

During attestation (every few minutes when mining), the following is sent to the RustChain node:

  • CPU model name and architecture (e.g. "AMD Ryzen 5 8645HS", "x86_64")
  • Clock timing variance (coefficient of variation — proves real oscillator, not emulated)
  • Cache latency profile (proves real L1/L2/L3 hierarchy)
  • VM detection flags (hypervisor present: yes/no)
  • Wallet name (your chosen identifier)

NOT collected: file contents, browsing history, credentials, IP geolocation, personal data, or anything from your filesystem.

Clean Uninstall

clawskill uninstall   # Removes ALL files, services, and configs

Install

# Python (recommended)
pip install clawskill

# Node.js
npm install -g clawskill

Setup

# Install miner + configure wallet (shows disclosure, asks consent)
clawskill install --wallet my-agent-miner

# Start mining in foreground (Ctrl+C to stop)
clawskill start

# Or: start with background auto-restart (opt-in)
clawskill start --service

How It Works

  1. Hardware Fingerprinting — 6 cryptographic checks prove your machine is real:

    • Clock-skew & oscillator drift
    • Cache timing fingerprint (L1/L2/L3 latency)
    • SIMD unit identity (SSE/AVX/AltiVec/NEON bias)
    • Thermal drift entropy
    • Instruction path jitter (microarchitectural)
    • Anti-emulation behavioral checks

  2. Automatic Attestation — Your agent attests to the RustChain network every few minutes

  3. Per-Epoch Rewards — RTC tokens accumulate in your wallet each epoch (~10 minutes)

  4. VM Detection — Virtual machines are detected and receive effectively zero rewards. Real iron only.

Multipliers

HardwareMultiplierNotes
Modern x86/ARM1.0xStandard rate — this is you
Apple Silicon (M1/M2/M3)1.2xSlight bonus
IBM POWER81.5xServer-class vintage
PowerPC G52.0xVintage bonus
PowerPC G42.5xMaximum vintage bonus
VM/Emulator~0xDetected and penalized

Commands

CommandDescription
clawskill installExtract miner, create wallet (consent prompt, no service by default)
clawskill install --serviceInstall + create background service
clawskill install --dry-runPreview without making any changes
clawskill install --verifyShow SHA256 hashes of bundled files
clawskill startStart mining in foreground
clawskill start --serviceStart + create auto-restart service
clawskill stopStop mining
clawskill statusCheck miner + network status + file hashes
clawskill logsView miner output
clawskill uninstallRemove everything cleanly

What Gets Installed

  • Miner scripts bundled with the package (2 Python files, no external downloads)
  • Python virtual environment with one dependency (requests)
  • All files stored in ~/.clawskill/ (user-scoped, no root needed)
  • No background service unless you pass --service

Requirements

  • Python 3.8+ (installed on most systems)
  • Linux or macOS
  • Real hardware (not a VM)

Links

License

MIT — Elyan Labs

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…