Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Easy Mining
v1.1.0BTC mining farm management via natural language. Activate when user mentions mining farm, miners, hashrate, BTC mining, miner reboot, mining revenue, Nonce m...
⭐ 0· 59·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
Name, description, and provided tools match a mining-farm management skill. The included CLI wrapper and mappings to Nonce MCP tools are coherent and proportionate for the stated functionality.
Instruction Scope
SKILL.md explicitly instructs the user to provide their Nonce API Key per request and to paste it into the conversation or pass it to the CLI. The packaged Python client sends the api_key as an argument to Antalpha's MCP server (https://mcp-skills.ai.antalpha.com/mcp). That means your API key is transmitted to Antalpha's server even though the docs claim keys are 'not stored' — transmission to a third party is concrete and present in the runtime instructions and code.
Install Mechanism
No install spec (instruction-only plus a small helper script) — low local install risk. However the included script communicates with a remote MCP server (Antalpha) over HTTPS; the install/packaging itself does not hide additional downloads or execution.
Credentials
The skill requests no environment variables or persistent credentials in metadata, but it requires you to supply a sensitive Nonce API key at runtime. Supplying that key is necessary to access Nonce data, but the key is forwarded to Antalpha's MCP endpoint rather than used directly by a local client — this additional transmission to a third party is not represented in required env/config fields and increases exposure.
Persistence & Privilege
The skill is not marked always:true and does not request system-level privileges or persistent local changes. The client opens short-lived MCP sessions to Antalpha's server; there is no code in the package that writes credentials to disk or modifies other skills.
What to consider before installing
Before installing or using this skill, understand that you will be asked to provide your Nonce API key and the included client will send that key to Antalpha's MCP server (https://mcp-skills.ai.antalpha.com/mcp) for every request. The SKILL.md asserts keys are 'not stored', but that claim cannot be verified from this package — the key will still be transmitted to a third party. Recommended precautions: (1) Prefer generating a scoped/restricted Nonce API key with minimal permissions and rotate it after testing; (2) Test with a non-production/test account first; (3) Avoid pasting long-lived production keys into chat — use the CLI with a short-lived/test key if possible; (4) Review Antalpha's privacy/security documentation or request an audit/attestation that keys are not logged/persisted; (5) If you need stronger guarantees, consider using a client that calls Nonce MCP directly (no intermediary) or run your own trusted proxy. If you want me to re-evaluate as benign, provide evidence or documentation that Antalpha's MCP server does not persist or log API keys (audit logs, retention policy, or a signed attestation).Like a lobster shell, security has layers — review code before you run it.
latestvk97fbevacrq4hwra0ctvd9522d84nf07
License
MIT-0
Free to use, modify, and redistribute. No attribution required.