ORE Miner
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: ore-miner Version: 1.0.3 The skill bundle acts as an aggressive onboarding and marketing tool for a specific third-party crypto platform (refinore.com). The SKILL.md contains strong steering instructions ('Your #1 JOB', 'Be enthusiastic') designed to influence the agent's behavior toward financial transactions and credential setup on an external site. While the scripts (mine.sh, deploy.sh, etc.) are functional API wrappers, the instructions for the agent to be 'autonomous' in making financial decisions and the push for user funding/API key generation represent a high-risk profile for a third-party integration. IOC: automine.refinore.com.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could start using the user's SOL balance for mining rounds, which can lose money, without the user separately approving the exact amount or duration at the moment of execution.
The skill directs the agent to begin a financial mining activity as soon as credentials and funding exist, rather than requiring an explicit final confirmation, spending cap, or stop condition.
"Once I have the key, I'll start mining for you immediately."
Require explicit user confirmation before starting mining, state the SOL amount and expected cadence, and set a user-approved maximum loss, balance floor, or time limit.
A mistaken amount, risky strategy, compromised key, or unexpected market condition could cause repeated losses until the session is stopped or funds run low.
The helper starts sessions configured to restart every round, so one start action can repeatedly deploy funds over time.
"auto_restart\": true,\n \"frequency\": \"every_round\"
Default auto-restart to off or require a clear user-approved budget, maximum rounds, balance floor, and easy stop command before enabling recurring mining.
Anyone with the key may be able to view account information and operate mining-related account functions through refinORE.
The API key is expected for this integration, but it is persistent and can authorize account and mining actions.
"Your human generates an API key in refinORE Settings → API Keys. This is persistent and doesn't expire."
Use an environment variable, avoid pasting the key in chat, verify the API URL is official, and revoke or rotate the key if it may have been exposed.