Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AICash Miner
v1.0.0AICash Network auto-miner for $CASH tokens on Base L2. Use when setting up automated Proof of Compute mining on the AICash mempool network. Supports multi-in...
⭐ 0· 394·0 current·0 all-time
bymeigui@doctor-1017
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill's stated purpose (automated mining) matches the included scripts and miner logic, but the required system-level actions (writing to /root/.openclaw, creating files in /etc/systemd/system, enabling services) imply the need for root privileges and a Node runtime. The registry metadata declares no required binaries or privileged access, which is inconsistent with the actual behavior.
Instruction Scope
SKILL.md instructs the user to run scripts/setup.sh with API key/wallet/endpoint. The setup script then embeds the API key and wallet into a generated miner.js (via sed), writes that file to disk, creates/enables systemd service units, and starts them. The runtime instructions therefore direct the agent to modify system configuration and persist secrets to disk — actions that go beyond a simple CLI invocation and should be clearly declared and gated.
Install Mechanism
There is no external download/install spec (no network fetches, packages, or archives). That reduces some risk. However, the included setup script performs an implicit local install: creating an install directory under /root/.openclaw, generating miner.js, and writing systemd unit files under /etc/systemd/system. This is an on-disk install performed by the provided script and requires filesystem write permissions.
Credentials
The skill asks for an API key, wallet, and endpoint as CLI arguments (reasonable for a miner), but the package metadata declared no required env vars or primary credential. The setup embeds the API key directly into miner.js on disk (plaintext), which increases credential exposure. The service units run the miner likely as root (Environment=HOME=/root) and the scripts call systemctl; requiring root privileges is not disclosed in the metadata.
Persistence & Privilege
The setup script creates systemd services and enables/starts them (systemctl enable --now), giving the miner ongoing persistence and auto-restart at system level. This modifies system-wide configuration (/etc/systemd/system), which is a high-privilege, persistent action that should be explicitly declared and confirmed before install.
What to consider before installing
This skill includes scripts that will (a) write a miner binary into /root/.openclaw/workspace/aicash, (b) embed your API key and wallet into that file in plaintext, and (c) create/enable systemd services under /etc/systemd/system and start them — actions that require root. Before installing:
- Do not run the setup on your primary host without understanding the implications; run in an isolated VM or container first.
- Verify you are willing to grant root privileges: the setup calls systemctl and writes to /etc and /root.
- Confirm a legitimate endpoint domain (the SKILL.md references aicash.network and a Supabase endpoint). If the endpoint differs, do not supply real keys.
- Be aware the API key is written to disk inside miner.js (plaintext). Treat that key as compromised if you install; rotate it if you decide to remove the service.
- Ensure Node is installed and examine miner.js and the systemd unit(s) line-by-line before running. If you prefer less privilege, modify the scripts to run under an unprivileged user and avoid enabling services system-wide.
Overall: the code implements the claimed mining functionality, but it performs undeclared, high-privilege, persistent system changes and stores secrets on disk — consider this suspicious and review/contain it before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97ek66pxhegd0ntkrjv9a9pxs81ryhw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.