ClawSkill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawskill Version: 1.2.1 The skill is a cryptocurrency miner that performs hardware fingerprinting (CPU model, timing variance, cache latency, VM detection) and sends this data to an external RustChain node. While the `SKILL.md` documentation explicitly claims transparency, denies collection of sensitive personal data, and states that persistence is opt-in, the inherent collection of system-level identifiers and network communication to an external endpoint for a non-essential purpose (mining) represents a significant risk. Without access to the actual miner scripts, the claims regarding data collection cannot be independently verified, making the activity suspicious despite the stated intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
You may install and run code that ClawScan could not inspect, and that code is intended to mine tokens, manage a wallet, contact a network, and potentially create a service.
The skill delegates the security-critical miner installation to external package managers, while the reviewed artifact set contains no miner implementation and the commands do not pin a version or hash.
# Python (recommended) pip install clawskill # Node.js npm install -g clawskill
Before installing, independently review the PyPI/npm package and linked repository, verify the exact version and hashes, and avoid installing globally or enabling service mode until you trust the package.
Even if no files or passwords are collected, repeated hardware measurements and wallet names can identify or track the device used for mining.
The skill clearly discloses recurring transmission of hardware attestation and wallet identifier data to a remote RustChain node.
During attestation (every few minutes when mining), the following is sent to the RustChain node: - CPU model name and architecture - Clock timing variance - Cache latency profile - VM detection flags - Wallet name
Use only if you are comfortable sending hardware fingerprint information to the RustChain service; consider using a dedicated machine or wallet name.
If service mode is enabled, mining may continue after the current session and consume CPU, power, and network resources until stopped or uninstalled.
The skill can create a persistent auto-restart background miner, but the documentation presents this as an explicit opt-in mode.
Or: start with background auto-restart (opt-in) clawskill start --service
Run in foreground first, avoid --service unless you intentionally want persistence, and confirm that stop and uninstall work on your system.