Back to skill
Skillv1.0.0
ClawScan security
Monero Profitability Calculator · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 19, 2026, 2:09 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements, instructions, and behavior are coherent with a Monero mining profitability calculator and do not request unrelated credentials or install arbitrary code.
- Guidance
- This skill appears coherent and low-risk: it only describes a calculator and includes a small Python example that calls CoinGecko for price data. Before running any code from the SKILL.md, note that the example assumes Python + requests (which may not be installed) and would make an outbound HTTP request; run it in a sandbox or inspect/modify the code first if you are cautious. Also be aware the README includes a public Monero tip address (optional). If you plan to let an agent execute this autonomously, confirm you trust the agent environment and that no unexpected permissions or credentials are present.
Review Dimensions
- Purpose & Capability
- okThe name/description match the SKILL.md content: a profitability calculator that uses hardware, power, and market parameters. No unrelated env vars, binaries, or config paths are requested.
- Instruction Scope
- noteThe SKILL.md contains a small Python example that fetches price data from CoinGecko — this network request is expected for getting current XMR price. The doc also references a CLI command (monero-profitability) that is illustrative but not provided in the package. No instructions tell the agent to read unrelated files, drain credentials, or post data to unexpected endpoints.
- Install Mechanism
- okNo install spec or code files are present beyond SKILL.md and package.json (instruction-only). Nothing will be downloaded or written to disk by an installer.
- Credentials
- okThe skill requests no environment variables or credentials. The included Monero tip address is a public donation string and not a credential request; it is a monetization note rather than a required capability.
- Persistence & Privilege
- okThe skill does not request always:true and does not ask to modify agent/system configuration. Autonomous invocation is allowed (platform default) but not combined with other elevated privileges.