Apow Mining
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill is transparent that it mines crypto, but it gives the agent control over a funded wallet and runs unpinned external npm code that can spend funds.
Treat this as high-risk crypto automation. Only run it with a new burner wallet, fund it with the smallest amount you are willing to lose, inspect and pin the apow-cli package first, and require explicit approval for any bridge, mint, mining, or x402 spending action.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ETH and USDC sent to the generated wallet could be spent on gas, minting, x402 services, or mining activity under agent/CLI control.
The instructions authorize the agent to perform high-impact crypto actions after the user funds the wallet, without clear visible spending caps or per-action confirmation requirements.
You are the operator. You can generate wallets, configure the miner, mint, and mine autonomously. The only step that requires your user is funding the wallet
Use only a disposable wallet with minimal funds, require explicit confirmation before minting/mining/funding actions, and set clear spend limits before running the workflow.
Anyone or any process with access to the workspace could potentially read the private key and take funds from the wallet.
The workflow stores a wallet private key in a local plaintext .env file. That private key controls any funds placed in the wallet.
cat > .env << 'EOF' PRIVATE_KEY=0x<from step 1> USE_X402=true
Never use a main wallet or valuable private key. Prefer a burner wallet, minimal balances, isolated directories/containers, and secure deletion of .env when finished.
If the external package or repository changes or is compromised, it could affect wallet handling, transaction submission, or fund spending.
The skill executes external npm/GitHub code without a pinned version or integrity verification, while the submitted artifact contains no code for review.
npx apow-cli start ... git clone https://github.com/Agentoshi/apow-cli.git cd apow-cli && npm install
Inspect the apow-cli source, pin exact package versions or commits, verify checksums where possible, and run it in an isolated environment before funding the wallet.
Wallet address, mining activity, challenge data, and payment metadata may be processed by external x402/ClawRouter-related services.
The skill discloses use of x402-backed RPC, LLM, and grinding services. This is purpose-aligned, but it means activity and payments depend on external providers.
Easy Mode writes the x402-backed config ... USE_X402=true USE_X402_GRIND=true LLM_PROVIDER=clawrouter
Review the external providers and expected charges before use, and avoid sending sensitive unrelated data through the mining workflow.