AI Mine
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill’s mining purpose is clear, but it asks OpenClaw to clone and run unreviewed external miner code with a wallet private key and OpenAI API key, then keep a miner web service running in the background.
Treat this as a high-trust mining integration. Before installing, review the GitHub repository, pin a specific commit, use a burner wallet with minimal funds, create a dedicated OpenAI API key with spending limits, avoid pasting long-lived secrets into chat, and confirm you know how to fully stop the miner and background server.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user would be trusting unreviewed downloaded code and npm install behavior with a crypto wallet private key and OpenAI API access.
The skill installs an unpinned external repository and runs npm install, but no code files or install spec were provided for review. This is especially important because the same workflow later uses wallet and OpenAI credentials.
[ -d "$AIMINE_DIR/.git" ] || git clone https://github.com/AIMineRes/PoAIW.git "$AIMINE_DIR" cd "$AIMINE_DIR/miner" && npm install
Only use after reviewing the repository, pinning a known commit, and confirming package integrity. Prefer a dedicated low-value wallet and a restricted OpenAI key with spending limits.
Downloaded code could access the provided private key, OpenAI key, local files available to the process, and network resources.
The agent is instructed to execute downloaded TypeScript miner code and may pass high-impact secrets directly to it. The runnable code is not included in the artifacts, so its behavior cannot be verified here.
cd "$AIMINE_DIR/miner" && npx ts-node src/index.ts init --private-key <key> --openai-key <key>
Do not provide production keys until the miner code is reviewed. Avoid command-line secret passing where possible; use a secret store or scoped environment variables and rotate keys after testing.
If mishandled, these credentials could lead to wallet loss, unauthorized transactions, or unexpected OpenAI API billing.
A wallet private key can control wallet funds and an OpenAI API key can incur charges. The skill allows these secrets to be provided in chat or injected into the downloaded miner without clear scope limits.
The user must have provided wallet private key and OpenAI API key ... or in the conversation
Use a fresh wallet containing only funds needed for mining, a dedicated OpenAI API key with strict limits, and avoid pasting long-lived secrets into chat.
Mining or the miner service may continue running after the immediate OpenClaw task, consuming compute, network, or paid API resources.
The skill starts a background local web server/mining process. The documented stop command stops mining through the API but does not clearly shut down the background server or describe cleanup.
The script will start the web server on port 3000 if it is not already listening ... then POST to http://127.0.0.1:3000/api/start.
Require explicit confirmation before starting mining, monitor running processes and API usage, and add documented commands to fully stop the server and remove generated files.