0G Compute
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: 0g-compute Version: 1.0.2 The 0g-compute skill bundle provides a legitimate interface for interacting with the 0G Compute Network, a decentralized AI inference marketplace. It includes tools for model discovery, TEE (Trusted Execution Environment) hardware attestation verification, wallet management, and a price comparison script (scripts/0g-price-compare.sh) that fetches data from CoinGecko and OpenRouter. The skill demonstrates security awareness by advising against passing private keys via command-line arguments and emphasizing the importance of TEE verification for provider integrity. No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing the skill's required CLI means trusting the external npm package that provides wallet and provider operations.
The skill depends on a globally installed external npm package to provide the 0g-compute-cli binary; this is expected for the integration, but the package contents and version are not included in the skill artifacts.
npm i -g @0glabs/0g-serving-broker
Install only from a trusted npm registry, verify the package publisher/version, and consider pinning or auditing the package before using it with real funds.
Anyone who can read the stored private key may be able to access the wallet or funds associated with the 0G account.
The skill discloses that the 0G wallet private key is used for login and persisted by the CLI, which is powerful credential access but directly related to the stated wallet/provider workflow.
0g-compute-cli login --private-key "$OG_PK" ... Private key stored in `~/.0g-compute-cli/config.json` — never expose this file
Use a dedicated low-balance wallet, protect file permissions on ~/.0g-compute-cli/config.json, avoid placing private keys in shell history, and do not share config files or logs containing secrets.
If run with the wrong provider, network, or amount, these commands could move funds in an unintended way or make them unavailable for inference.
The documented CLI workflows include moving on-chain balances between the wallet, main account, and provider sub-accounts. These commands are purpose-aligned but financially impactful.
0g-compute-cli deposit --amount <0G> ... transfer-fund --provider <addr> --amount <0G> ... retrieve-fund ... refund --amount <0G>
Require explicit user confirmation for any deposit, transfer, retrieve, or refund command, and verify provider address, network, amount, and balance before execution.
Prompts or files sent to the configured model may be processed by the selected 0G provider rather than a local model or previous provider.
Configuring a 0G provider makes OpenClaw send model requests to an external provider endpoint. This is the intended integration, but it changes where prompts and model inputs are processed.
"baseUrl": "https://provider-url.example.com/v1/proxy", "apiKey": "<your-api-secret>", "api": "openai-completions"
Use verified providers, avoid sending highly sensitive data unless the provider and TEE verification are trusted, and keep provider API secrets out of shared configs.