aibtc
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it says, but it starts a detached crypto-mining worker by running an unpinned npm package through npx, so it deserves careful review before use.
Install only if you intentionally want your agent to run a cryptocurrency mining worker. Before running it, verify the external `aibtc-worker` package/source, understand that it may keep running in the background and use CPU/network resources, and know how to stop it with `aibtc stop`.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Starting the worker may run whatever code the npm package resolves to at that time, not only the reviewed handler.js wrapper.
The reviewed skill delegates its main behavior to an npm package fetched/executed through npx at runtime, with no version pin, lockfile, install spec, or included worker source in the supplied artifacts.
currentProcess = spawn('npx', ['--yes', 'aibtc-worker', address, '--threads', '4'], {Pin the worker package version and integrity, declare the npx/node dependency, include or verify the worker source, and require clear user confirmation before first execution.
The mining process can continue consuming local resources after the conversation step finishes, until the user stops it.
The handler intentionally starts the worker as a detached process that can keep running after the skill invocation ends.
detached: true, // allow the child process to continue running after the parent exits ... currentProcess.unref();
Use this only when you intend to run a continuing mining worker, monitor CPU/resource usage, and run `aibtc stop` when finished.
If the state file is stale or altered, stopping the worker could affect an unrelated local process group.
The stop path sends a signal to the process group identified by a stored PID, without confirming that the PID still belongs to the aibtc-worker process.
const data = JSON.parse(fs.readFileSync(STATE_FILE)); ... process.kill(-data.pid);
Store state in a skill-owned location, validate that the PID command line matches the intended worker before killing it, and handle stale PID files safely.