Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
clawrtc
v1.5.0Mine RTC tokens by proving your hardware's authenticity with cryptographic checks and automated RustChain network attestation.
⭐ 1· 507·0 current·0 all-time
byAutoJanitor@scottcjn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Code implements the stated purpose: local fingerprinting, attestation, and periodic HTTP calls to a RustChain node to earn tokens. Commands run (lscpu, nproc, ip/ifconfig, sysctl) and filesystem reads (/proc, /sys) are consistent with hardware fingerprinting and VM detection.
Instruction Scope
SKILL.md claims 'No post-install telemetry' and 'No personal data sent', but the miner code sends MAC addresses, hostname, timing entropy samples, CPU model, and other fingerprint data to NODE_URL (/attest/*). Network-level metadata (your IP) will also be visible to the node. The README and SKILL.md also reference different endpoints (IP vs domain), which is inconsistent and should be clarified.
Install Mechanism
There is no special install spec in the registry; installation is via pip (as the SKILL.md instructs). The package bundles miner scripts (no external downloads during install), creates a venv, and installs dependencies (requests, cryptography). This is expected for a Python miner; installing dependencies will cause normal network activity via pip.
Credentials
The skill declares no required environment variables, but optional Coinbase wallet functionality depends on CDP_API_KEY_NAME and CDP_API_KEY_PRIVATE_KEY. The miner reads many system files and environment keys (KUBERNETES, DOCKER, VIRTUAL, container) for VM detection and collects MAC addresses and hostname — these are identifying and arguably 'personal' data despite SKILL.md claiming otherwise.
Persistence & Privilege
always:false and background service is opt-in ('--service'). The installer writes to the user home (~/.clawrtc), creates a venv and can install a per-user systemd/LaunchAgent service if requested. It does not request elevated or system-wide privileges by default, but it does create persistent files/services in the user account.
What to consider before installing
This package largely does what it describes (hardware fingerprinting + attestation) but makes misleading privacy statements. Before installing: 1) Treat MAC addresses, hostname, and timing samples as identifying data — the miner sends them to an external node (NODE_URL) and the node will observe your IP. 2) Use --dry-run and --verify to inspect hashes and behavior first. 3) Inspect the upstream source (the GitHub repo referenced) and confirm the node domain/IP are legitimate. 4) If you value privacy, run it in an isolated environment (air-gapped or disposable VM/container) and do not enable persistent service or automatic enrollment. 5) If using Coinbase wallet features, protect CDP credentials (they are optional but sensitive). 6) If you allow the agent to invoke skills autonomously, be aware this skill has network access and will periodically call the external attestation endpoint — limit autonomous invocation or monitor network calls. If you need full assurance, do not install until the node/operator identity and data retention/policy are verified.Like a lobster shell, security has layers — review code before you run it.
latestvk973996drxkzetavac4603gz8d81e21z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.