ClawSkill
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is not proven malicious, but it asks users to install and run an external token miner that was not included for review and that fingerprints hardware and can run as a service.
Install only if you intentionally want to run token-mining software. Review the exact PyPI/npm package and source code first, verify hashes, run it in the foreground before enabling service mode, monitor CPU/power/network usage, and be comfortable with hardware attestation data being sent repeatedly to the RustChain network.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may install and run code that ClawScan could not inspect, and that code is intended to mine tokens, manage a wallet, contact a network, and potentially create a service.
The skill delegates the security-critical miner installation to external package managers, while the reviewed artifact set contains no miner implementation and the commands do not pin a version or hash.
# Python (recommended) pip install clawskill # Node.js npm install -g clawskill
Before installing, independently review the PyPI/npm package and linked repository, verify the exact version and hashes, and avoid installing globally or enabling service mode until you trust the package.
Even if no files or passwords are collected, repeated hardware measurements and wallet names can identify or track the device used for mining.
The skill clearly discloses recurring transmission of hardware attestation and wallet identifier data to a remote RustChain node.
During attestation (every few minutes when mining), the following is sent to the RustChain node: - CPU model name and architecture - Clock timing variance - Cache latency profile - VM detection flags - Wallet name
Use only if you are comfortable sending hardware fingerprint information to the RustChain service; consider using a dedicated machine or wallet name.
If service mode is enabled, mining may continue after the current session and consume CPU, power, and network resources until stopped or uninstalled.
The skill can create a persistent auto-restart background miner, but the documentation presents this as an explicit opt-in mode.
Or: start with background auto-restart (opt-in) clawskill start --service
Run in foreground first, avoid --service unless you intentionally want persistence, and confirm that stop and uninstall work on your system.