ClawSkill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may install and run code that ClawScan could not inspect, and that code is intended to mine tokens, manage a wallet, contact a network, and potentially create a service.
The skill delegates the security-critical miner installation to external package managers, while the reviewed artifact set contains no miner implementation and the commands do not pin a version or hash.
# Python (recommended) pip install clawskill # Node.js npm install -g clawskill
Before installing, independently review the PyPI/npm package and linked repository, verify the exact version and hashes, and avoid installing globally or enabling service mode until you trust the package.
Even if no files or passwords are collected, repeated hardware measurements and wallet names can identify or track the device used for mining.
The skill clearly discloses recurring transmission of hardware attestation and wallet identifier data to a remote RustChain node.
During attestation (every few minutes when mining), the following is sent to the RustChain node: - CPU model name and architecture - Clock timing variance - Cache latency profile - VM detection flags - Wallet name
Use only if you are comfortable sending hardware fingerprint information to the RustChain service; consider using a dedicated machine or wallet name.
If service mode is enabled, mining may continue after the current session and consume CPU, power, and network resources until stopped or uninstalled.
The skill can create a persistent auto-restart background miner, but the documentation presents this as an explicit opt-in mode.
Or: start with background auto-restart (opt-in) clawskill start --service
Run in foreground first, avoid --service unless you intentionally want persistence, and confirm that stop and uninstall work on your system.