MinerDetector
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill mostly matches its stated paid-export purpose, but it can charge a billing account and the code does not strictly enforce the advertised 0.01 USDT limit or a fixed billing endpoint.
Only use this skill if you intend to connect a MinerDetector/SkillPay billing API key and pay for exports. Before running fetch, confirm the exact charge amount and ensure MINERDETECTOR_BILLING_API_URL is unset or points to the billing service you trust.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent invocation could charge more than the advertised 0.01 USDT if a larger amount is supplied.
The skill is advertised as charging 0.01 USDT, but the fetch command can be invoked with an arbitrary --amount and the script charges that supplied amount before exporting the files.
DEFAULT_CHARGE_AMOUNT = 0.01 ... charge = charge_user(args.user_id, api_key, args.amount) ... p_fetch.add_argument("--amount", type=float, default=DEFAULT_CHARGE_AMOUNT, help="Charge amount in USDT.")Enforce a fixed 0.01 USDT charge for fetch, or require explicit user confirmation and clear display of the amount before any charge.
A user may be billed when they ask to get or refresh the files, especially if they did not realize each fetch is a paid action.
The default agent instruction maps broad, ordinary download/update wording to a paid fetch action without telling the agent to ask for confirmation immediately before charging.
- When the user asks to **update**, **refresh**, **download**, or **get** the miner signature libraries, run `fetch`.
Add an explicit pre-charge confirmation step in the agent instructions, including the exact amount and billing user ID.
If that environment variable is set unexpectedly, the billing API key and billing requests could be sent somewhere other than the documented SkillPay host.
The user-provided billing API key is sent to a host that can be changed through an environment variable that is not documented in SKILL.md or the registry requirements.
BILLING_API_URL = os.environ.get("MINERDETECTOR_BILLING_API_URL", "https://skillpay.me").rstrip("/") ... headers = {"X-API-Key": api_key}Document the override clearly or remove it; preferably restrict billing calls to the intended host unless the user explicitly opts in.