Skillv2.0.0

ClawScan security

Bonero-Miner · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 8:40 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions match its stated purpose (running a CPU cryptocurrency miner) but include high-risk actions (downloading & executing a remote install script, building/running a background daemon) and omit declared dependencies—this combination is coherent for mining but disproportionately risky and deserves caution.
Guidance: This skill will make your machine download, build, and run a cryptocurrency miner that uses CPU and network resources. Before installing or running it: (1) do not blindly run curl | bash — download the install.sh and inspect it first, or better, build from source in a controlled environment; (2) run any build/run steps inside a VM, container, or sandbox (not on a production or personal machine you care about); (3) verify the GitHub repo and commit history and ensure the source is trustworthy; (4) be aware the daemon opens network connections and runs in the background — monitor CPU, network, and processes; (5) never paste or expose your wallet seed or private keys to remote services, and do not store them in environment variables; (6) consider disabling autonomous model invocation for this skill or requiring explicit human confirmation before executing commands. If you are not comfortable auditing the install script or controlling resource usage, do not install.

Review Dimensions

Purpose & Capability: concernThe SKILL.md behavior (building from source, running a daemon, starting RandomX CPU mining) matches the skill name/description. However the skill metadata declares no required binaries or deps despite instructions that clearly require curl, bash, git, build tools (cmake, make, compilers), jq, and network access. That mismatch is a coherence issue: the skill will not work without those tools, and the metadata understates its footprint.
Instruction Scope: concernThe instructions tell the agent to fetch and execute a remote install script (curl | bash), clone/build source, start a background daemon that mines, add peers by IP, and manipulate processes (pgrep/pkill). These are explicit system-level operations that go beyond simple API queries: they download and run code, change CPU usage, open network connections, and create wallets/seed phrases. The doc asks the agent to 'Ask your human first' but nothing enforces that, and the instructions give the agent direct commands that could be run autonomously.
Install Mechanism: concernThere is no formal install spec, but the SKILL.md recommends piping a script from raw.githubusercontent.com into bash — a high-risk pattern (remote script execution). GitHub raw content is better than an unknown personal server, but piping to bash executes potentially arbitrary code. Manual build instructions are standard but also require many system packages.
Credentials: noteThe skill declares no environment variables or credentials, which is consistent with a miner. That said, the instructions create and advise storing wallet seed phrases and run networked peers; while no env secrets are requested, the user must manage sensitive wallet seed material themselves. The lack of declared binaries/deps (see purpose_capability) is the main proportionality gap.
Persistence & Privilege: concernalways:false (good) but model-invocation is enabled by default. Combined with the SKILL.md that instructs running a background daemon (detached mining), an agent could autonomously start persistent CPU mining unless human approval or platform controls prevent it. The skill does not request system-wide configuration changes in metadata, but its runtime commands create a persistent process and modify system state (binaries, wallets, logs).