Clawhub Skill Bandwidth Income
WarnAudited by ClawScan on May 10, 2026.
Overview
Review before installing: this skill is coherent, but it can turn your server into persistent bandwidth/VPN/storage nodes using privileged Docker settings, unpinned containers, and account credentials.
Install only if you intentionally want to operate these bandwidth-sharing services and understand the consequences. Use an isolated machine or VM, read service and ISP terms, avoid 'setup all' until each platform is reviewed, pin and verify Docker images, use dedicated accounts and safe secret handling, and keep clear stop/remove instructions for every container.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your server and IP address could relay third-party VPN traffic, which may create ISP, legal, account, or abuse-report consequences.
The default Mysterium setup grants a container network-administration capability, exposes a port, keeps it running persistently, and auto-accepts service terms for a VPN exit node. The visible instructions do not add a clear approval or terms-review step before this high-impact network action.
docker run -d ... --name mysterium-node ... --restart unless-stopped ... --cap-add NET_ADMIN ... -p 4449:4449 ... service --agreed-terms-and-conditions
Do not let an agent run this automatically. Read the service terms, check ISP/legal implications, use an isolated host or VM, and require explicit confirmation before opening ports or running a VPN exit node.
Service passwords may be visible in shell history, Docker inspection output, or to the container image, and compromised credentials could affect the user's bandwidth-sharing accounts.
The skill asks for service account credentials in Docker environment variables, while the registry metadata declares no required credentials or environment variables. The artifact also does not clearly bound how those credentials are protected, logged, or exposed to the container.
-e GRASS_USER=your@email.com \ -e GRASS_PASS=yourpassword \ mrcolorrain/grass:latest
Use dedicated accounts and unique passwords, avoid pasting secrets into shell commands, prefer Docker secrets or protected env files, and ensure the skill metadata declares credential requirements.
A future image update or untrusted image could change behavior, misuse credentials, or affect the host/network without the user noticing.
The setup uses mutable ':latest' Docker images, including a Grass image from an unclear/non-vendor-looking namespace. These images are the code that will receive credentials and network access, but their exact versions are not pinned or reviewed in the artifacts.
image: mrcolorrain/grass:latest ... image: mysteriumnetwork/myst:latest ... image: honeygain/honeygain:latest
Use official images where available, pin image digests or trusted versions, review image provenance, and avoid passing credentials to unverified containers.
Nodes may keep consuming bandwidth, disk, power, and exposing network services unless the user explicitly stops them.
The monitoring workflow intentionally keeps containers alive and restarts failed nodes. This is purpose-aligned for passive-income nodes, but it is persistent autonomous behavior that can continue beyond the initial setup.
monitor start — Start monitoring all nodes (checks every 5 min) ... if [ "$status" != "running" ]; then echo "ALERT: $name is $status — restarting..." docker start $name
Set resource limits, document stop/remove commands, avoid enabling monitoring until you understand the impact, and periodically verify which containers are running.
Users may overestimate returns or underestimate the practical and legal risks of sharing their connection.
The artifact uses strong passive-income framing and high earnings estimates. It does include an 'actual earnings vary' caveat, but the visible text gives limited matching emphasis to legal, ISP, privacy, or abuse risks of bandwidth resale and VPN exit-node operation.
Turn your unused internet bandwidth into passive crypto income ... Grass.io | Bandwidth sharing | $100-1000/mo
Verify real payout rates, taxes, fees, staking requirements, ISP rules, and local legal risks before running any node.