clawrtc
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user may believe only generic hardware performance data is sent, while the remote RustChain node also receives identifiers tied to their specific machine.
The privacy disclosure omits MAC addresses and hostname, yet the miner submits them in the attestation payload. These are persistent device/network identifiers and can identify a user's machine.
SKILL.md: "NOT sent: file contents, browsing history, credentials, IP geolocation, personal data." / miner.py: "signals": { "macs": self.hw_info.get("macs", [self.hw_info["mac"]]), "hostname": self.hw_info["hostname"] }Update the disclosure to list MAC addresses, hostname, cores, memory, and any other submitted fields; request explicit consent for these identifiers and offer an option to omit or hash them.
If started, the miner may continue using CPU and network resources until stopped or uninstalled.
The skill is designed to keep mining and attesting over time, and it documents background/service operation. This is purpose-aligned, but it is persistent behavior that users should explicitly understand.
README.md: "clawrtc start | Start mining in background" and "Systemd user service (Linux) or LaunchAgent (macOS)" / SKILL.md: "Automatic attestation: Attests to the RustChain network every few minutes"
Before starting mining or enabling `--service`, verify how to stop it with `clawrtc stop` and remove it with `clawrtc uninstall`.
The installed code may depend on package-index state at install time, not only the reviewed bundled files.
Installation creates a local virtual environment and pulls dependencies without exact pins. This is normal for a Python CLI, but it means future dependency versions can affect behavior.
cli.py: "run_cmd(f'\"{pip}\" install --upgrade pip -q')" and "run_cmd(f'\"{pip}\" install requests -q')" / pyproject.toml: "dependencies = [\"requests>=2.25\", \"cryptography>=41.0\"]"Prefer pinned dependency versions or a lockfile, and review the package source and dependencies before installation.
Providing Coinbase CDP credentials could allow wallet creation or other actions through the Coinbase AgentKit dependency.
The optional Coinbase integration reads Coinbase CDP credentials from environment variables and uses them to create a Base wallet. This is disclosed and purpose-aligned, but it is sensitive financial-account authority.
SKILL.md: "Requires CDP credentials from portal.cdp.coinbase.com for auto-creation." / coinbase_wallet.py: "cdp_key_name = os.environ.get(\"CDP_API_KEY_NAME\", \"\")" and "cdp_key_private = os.environ.get(\"CDP_API_KEY_PRIVATE_KEY\", \"\")"
Only configure CDP credentials if you need the Coinbase feature, use least-privileged keys, and avoid exposing those environment variables to unrelated tools.