ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

rBTC Miner

v1.0.0

Runs a patched Bitcoin Core node with built-in CPU mining, supporting configurable CPU usage, thread count, and automated secure updates.

0· 322·0 current·0 all-time
byrk@happybigmtn·duplicate of @happybigmtn/botcoin-miner

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for happybigmtn/rbtc.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "rBTC Miner" (happybigmtn/rbtc) from ClawHub.
Skill page: https://clawhub.ai/happybigmtn/rbtc
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install happybigmtn/rbtc

ClawHub CLI

Package manager switcher

npx clawhub@latest install rbtc
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the SKILL.md: it intends to build, run, mine, and update a patched Bitcoin Core. However, the clawhub.json lists an entrypoint (install.sh) and many scripts that are not included in the bundle. That mismatch (metadata claims local scripts, but the package only contains SKILL.md and clawhub.json) is unexpected and reduces coherence: the runtime instructions assume local scripts that don't exist in the package.
!
Instruction Scope
SKILL.md instructs running install.sh, build scripts, updater.sh, and a CPU miner; these actions involve fetching upstream releases, applying patches, compiling, and swapping runtime symlinks. Those operations legitimately belong to the described purpose, but they require executing code (scripts or downloads) not present in the bundle. The instructions also reference user filesystem paths (~/.rbitcoin) and advise adding seed nodes / IPs; all expected for a node, but they also allow auto-accepting network patch hashes (AUTO_ACCEPT_NETWORK_PATCH_HASH defaults to 1), which could permit automatic acceptance of network-changing patches without strict pinning.
!
Install Mechanism
There is no install spec and no scripts included. The SKILL.md assumes local scripts (install.sh, scripts/*). Because those files are absent, the actual install mechanism is unclear — the agent or user would likely fetch code from the referenced GitHub repo or another external source at runtime. That implicit download/execution path increases risk: arbitrary code fetched/executed from the network is higher-risk unless provenance is verified.
Credentials
The skill does not request credentials or privileged environment variables. Declared env vars (miner settings, AUTO_ACCEPT_NETWORK_PATCH_HASH) are proportional to a mining/node skill. Still, AUTO_ACCEPT_NETWORK_PATCH_HASH defaulting to 1 is notable because it relaxes strict patch-hash pinning and could lead to accepting upstream/patch differences automatically.
Persistence & Privilege
always is false and the skill is user-invocable; it does not request elevated or persistent platform privileges. Autonomous invocation is allowed (default) but is not combined with other strong red flags here. The main persistence concern is that the skill's updater would perform atomic swaps of runtime symlinks on the host if the user runs the scripts.
What to consider before installing
This skill's intent (run a patched Bitcoin Core and CPU miner) is plausible, but the package is missing the scripts it tells you to run. Before installing or executing anything: 1) Inspect the referenced GitHub repository (https://github.com/happybigmtn/rBTC) and review every install/update script locally — do not run unknown install.sh/updater.sh blindly. 2) Prefer to clone the repo and manually review build/install scripts, patch contents, and the update manifest. 3) Set AUTO_ACCEPT_NETWORK_PATCH_HASH=0 to avoid auto-accepting network/chain identity changes until you've audited patch hashes. 4) Restrict RPC_BIND / RPC_ALLOWIP to localhost and do not expose RPC ports publicly. 5) Be aware CPU mining will consume resources and run potentially long-lived processes; run in an isolated environment (VM/container) if you want to experiment. 6) Additional evidence that would raise confidence to benign: a complete package with the declared scripts included, reproducible build logs, signed upstream manifests, and an explicit, auditable mechanism for fetching upstream releases (e.g., pinned GitHub release URLs and GPG/sha256 verification steps present and verifiable).

Like a lobster shell, security has layers — review code before you run it.

latestvk9795jrr86bbx8572de19wb1k982e7tq
322downloads
0stars
1versions
Updated 11h ago
v1.0.0
MIT-0
rk@happybigmtn
latest
Download

rBitcoin Agent Skill

Bitcoin Core fork from genesis, upstream-pinned to official release tags. The only delta is a scope-limited immutable patch for chain identity.

Quickstart

./install.sh v30.2

This verifies the upstream release (GPG + checksums), builds with the immutable patch, starts the node, and optionally starts a CPU miner.

Override defaults:

MINER_CPU_PERCENT=25 MINER_MAX_THREADS=2 ./install.sh v30.2

Environment Variables

VariableDefaultDescription
MINER_CPU_PERCENT25Max CPU percentage for mining
MINER_MAX_THREADS2Max miner threads
MINER_THREADS(auto)Explicit thread count
MINER_BACKGROUND0Run miner in background
START_MINER1Set to 0 to skip miner startup
AUTO_ACCEPT_NETWORK_PATCH_HASH1Set to 0 for strict patch-hash pinning
RPC_ALLOWIP127.0.0.1RPC access control
RPC_BIND127.0.0.1RPC bind address

Verify

Audit the upstream release and local binary without running a node:

./scripts/agent_verify.sh v30.2

Outputs a machine-readable report to reports/agent-verify-v30.2.json.

Verify patch scope stays within the allowed file set:

./scripts/enforce_patch_scope.sh ./patch/immutable.patch

Verify binary provenance against a manifest:

./scripts/verify_local_binary.sh ./build/bitcoind ./manifests/manifest.json

Build

./scripts/build_from_tag.sh v30.2

Fetches the upstream tag, applies the immutable patch, and compiles. The binary lands in ./build/bitcoind.

Generate the update manifest after building:

./scripts/make_update_manifest.sh v30.2

Run

./scripts/run_node.sh --datadir ~/.rbitcoin --network main

RPC defaults to port 19332, P2P to 19333. Connect to seed nodes by adding addnode=<ip>:19333 entries to ~/.rbitcoin/bitcoin.conf.

Mine

Solo CPU mining with cpuminer (sha256d):

./scripts/start_cpu_miner.sh --datadir ~/.rbitcoin --network main

For single-block mining (regtest/dev):

./scripts/mine_solo.sh --address <ADDRESS> --network regtest

Update

Atomic update to a new upstream tag:

./scripts/updater.sh v30.3

This builds and verifies the new version, then atomically swaps the runtime/current symlink. The previous version is preserved for rollback.

Check for the latest upstream release:

./scripts/fetch_upstream_release.sh

Comments

Loading comments...