clawrtc
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its stated crypto-mining purpose, but it sends device identifiers like MAC addresses and hostname despite telling users that personal data is not sent.
Review this carefully before installing. If you run it, expect ongoing CPU/network use for token mining and remote hardware attestation. The current disclosure does not clearly state that MAC addresses and hostname are sent, so avoid installing unless you are comfortable sharing those device identifiers with the RustChain node.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe only generic hardware performance data is sent, while the remote RustChain node also receives identifiers tied to their specific machine.
The privacy disclosure omits MAC addresses and hostname, yet the miner submits them in the attestation payload. These are persistent device/network identifiers and can identify a user's machine.
SKILL.md: "NOT sent: file contents, browsing history, credentials, IP geolocation, personal data." / miner.py: "signals": { "macs": self.hw_info.get("macs", [self.hw_info["mac"]]), "hostname": self.hw_info["hostname"] }Update the disclosure to list MAC addresses, hostname, cores, memory, and any other submitted fields; request explicit consent for these identifiers and offer an option to omit or hash them.
If started, the miner may continue using CPU and network resources until stopped or uninstalled.
The skill is designed to keep mining and attesting over time, and it documents background/service operation. This is purpose-aligned, but it is persistent behavior that users should explicitly understand.
README.md: "clawrtc start | Start mining in background" and "Systemd user service (Linux) or LaunchAgent (macOS)" / SKILL.md: "Automatic attestation: Attests to the RustChain network every few minutes"
Before starting mining or enabling `--service`, verify how to stop it with `clawrtc stop` and remove it with `clawrtc uninstall`.
The installed code may depend on package-index state at install time, not only the reviewed bundled files.
Installation creates a local virtual environment and pulls dependencies without exact pins. This is normal for a Python CLI, but it means future dependency versions can affect behavior.
cli.py: "run_cmd(f'\"{pip}\" install --upgrade pip -q')" and "run_cmd(f'\"{pip}\" install requests -q')" / pyproject.toml: "dependencies = [\"requests>=2.25\", \"cryptography>=41.0\"]"Prefer pinned dependency versions or a lockfile, and review the package source and dependencies before installation.
Providing Coinbase CDP credentials could allow wallet creation or other actions through the Coinbase AgentKit dependency.
The optional Coinbase integration reads Coinbase CDP credentials from environment variables and uses them to create a Base wallet. This is disclosed and purpose-aligned, but it is sensitive financial-account authority.
SKILL.md: "Requires CDP credentials from portal.cdp.coinbase.com for auto-creation." / coinbase_wallet.py: "cdp_key_name = os.environ.get(\"CDP_API_KEY_NAME\", \"\")" and "cdp_key_private = os.environ.get(\"CDP_API_KEY_PRIVATE_KEY\", \"\")"
Only configure CDP credentials if you need the Coinbase feature, use least-privileged keys, and avoid exposing those environment variables to unrelated tools.