ORE Miner
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could start using the user's SOL balance for mining rounds, which can lose money, without the user separately approving the exact amount or duration at the moment of execution.
The skill directs the agent to begin a financial mining activity as soon as credentials and funding exist, rather than requiring an explicit final confirmation, spending cap, or stop condition.
"Once I have the key, I'll start mining for you immediately."
Require explicit user confirmation before starting mining, state the SOL amount and expected cadence, and set a user-approved maximum loss, balance floor, or time limit.
A mistaken amount, risky strategy, compromised key, or unexpected market condition could cause repeated losses until the session is stopped or funds run low.
The helper starts sessions configured to restart every round, so one start action can repeatedly deploy funds over time.
"auto_restart\": true,\n \"frequency\": \"every_round\"
Default auto-restart to off or require a clear user-approved budget, maximum rounds, balance floor, and easy stop command before enabling recurring mining.
Anyone with the key may be able to view account information and operate mining-related account functions through refinORE.
The API key is expected for this integration, but it is persistent and can authorize account and mining actions.
"Your human generates an API key in refinORE Settings → API Keys. This is persistent and doesn't expire."
Use an environment variable, avoid pasting the key in chat, verify the API URL is official, and revoke or rotate the key if it may have been exposed.