ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawRTC

v1.5.0

Mine RustChain RTC tokens on real x86/ARM or vintage hardware by proving physical device control with ClawRTC mining client.

9· 703·2 current·2 all-time
byAutoJanitor@scottcjn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code implements a RustChain miner and hardware-fingerprint checks which match the skill description, so purpose and capability mostly align. However the optional Coinbase integration expects CDP API credentials via environment variables (CDP_API_KEY_NAME, CDP_API_KEY_PRIVATE_KEY) but the registry metadata lists no required env vars or primary credential. Also multiple repository/explorer URLs in README/SKILL.md differ (hostname, IP, bottube.ai), and the package owner/registry homepage is blank — these metadata mismatches reduce trust.
!
Instruction Scope
SKILL.md describes the attestation payload as limited (CPU model, clock variance, cache profile, VM flags, wallet name). The actual miner attestation transmits MAC addresses, hostname, fingerprint_data (including sample previews / entropy stats) and device fields — more identifying information than the SKILL.md explicitly lists. The CLI and miner read many system paths and run commands (lscpu, ip/ifconfig, free, /proc files, sysctl), which is expected for hardware fingerprinting but broader than the simple summary in the docs. The coinbase flow requires environment secrets (checked at runtime) that were not declared in registry metadata.
Install Mechanism
This is an instruction-and-package distribution intended to be installed via pip (no additional install spec in registry). There are no external downloads at runtime claimed; bundled miner scripts are installed from the package. That is proportionate for a Python miner. The miner does perform network calls to a node URL (bulbous-bouffant.metalseed.net) during operation; there is no code-obfuscation or remote archive extraction in the package itself.
!
Credentials
The package does not declare required environment variables in the registry, yet coinbase_wallet.py reads CDP_API_KEY_NAME and CDP_API_KEY_PRIVATE_KEY for auto wallet creation. The miner also reads standard environment keys to detect containerization (KUBERNETES, DOCKER, VIRTUAL) and writes wallet/config files to ~/.clawrtc. Asking for CDP private key material is sensitive and should be declared explicitly; omission is a red flag.
Persistence & Privilege
The tool creates a directory in the user's home (~/.clawrtc), a Python venv, saves wallet and coinbase files, and (per README/CLI hints) can create a user background service if requested. 'always' is false and autonomous invocation is default platform behavior. This level of persistence and privilege is expected for a miner but the user should be aware files and services will be added to their home directory and optionally a user service manager.
What to consider before installing
This package contains genuine miner code, but be cautious before installing. Things to check: 1) The coinbase auto-create path expects CDP_API_KEY_NAME and CDP_API_KEY_PRIVATE_KEY environment variables (sensitive private key material) yet the skill metadata does not declare them — do not set private keys unless you trust the maintainer. 2) The runtime attestation transmits MAC addresses, hostname and fingerprint samples (potentially identifying); SKILL.md understates what is sent. If you care about privacy, run in an isolated test machine (not your primary machine) and use the --dry-run and --verify options first. 3) Verify the node endpoints (NODE_URL) and repository sources independently — node hostnames/IPs in README/skill differ and may be untrusted. 4) Inspect ~/.clawrtc after installation and avoid enabling background service unless you accept persistent miner behavior. 5) Prefer installing from a verified source (official PyPI page or a cryptographically signed release on GitHub) and review the maintainer identity/contact. If you want to proceed, consider using a sacrificial/air-gapped or VM host (not one with sensitive data) and do not export private keys into environment variables unless you fully trust the code and operator.

Like a lobster shell, security has layers — review code before you run it.

coinbasevk976fmjp24jyqtj7anbtvmhbas81fq2zlatestvk976fmjp24jyqtj7anbtvmhbas81fq2zwalletvk976fmjp24jyqtj7anbtvmhbas81fq2zx402vk976fmjp24jyqtj7anbtvmhbas81fq2z

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments