ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Apow Mining

v0.4.0

Set up and start mining AGENT tokens on Base L2 using apow-cli. Handles wallet creation, RPC setup, LLM config, minting a rig, and starting the mining loop.

0· 102·0 current·0 all-time
by@agentoshi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (APoW mining on Base) align with required binaries (npx/node) and env vars (PRIVATE_KEY for signing, RPC_URL for an Ethereum RPC, LLM_PROVIDER/LLM_API_KEY for the SMHL minting step). There are no unrelated credentials or binaries requested.
Instruction Scope
SKILL.md instructs the agent to generate/export private keys, write them into a .env, save wallet files to the current directory, and run npx apow-cli commands (setup, fund, mint, mine). These steps are expected for an on-chain miner but grant the skill access to highly sensitive material (the wallet private key) and file-write operations. The doc also describes bridging from Solana and optional base58 keys for the fund flow; those are plausible but not reflected as required env vars (they are optional flags).
Install Mechanism
There is no install spec, but the runtime relies on npx/git clone to fetch and execute remote code (npm package or GitHub repo). This is functionally necessary for using a CLI not preinstalled, but it carries supply-chain risk because npx will fetch executable code from external registries at runtime.
Credentials
The four required env vars are proportionate to the task: PRIVATE_KEY (primary credential) and RPC_URL are required for signing and chain access; LLM_PROVIDER and LLM_API_KEY are justified for the minting/SMHL step. However, PRIVATE_KEY is extremely sensitive; the instructions explicitly tell the agent to write it to disk (.env and wallet-<address>.txt), which increases the risk if the same key is reused elsewhere.
Persistence & Privilege
always is false and the skill does not request persistent/force-installed presence or modifications to other skills. Autonomous invocation is allowed (platform default) but not combined with additional privileged settings.
Assessment
This skill is coherent for running a mining CLI, but it requires your wallet private key and will fetch/execute code from npm/GitHub via npx. Before installing, consider: use a dedicated, low-value Base wallet (do not reuse a mainnet hot key); verify the apow-cli package/repository (check the npm package and GitHub source) before running npx; use a vetted RPC provider (Alchemy/Infura) rather than the public RPC; store .env/wallet files securely and remove the private key when done; and if you are uncomfortable letting an agent write or hold a raw private key, do the wallet/funding/mint steps manually on a machine you control.

Like a lobster shell, security has layers — review code before you run it.

ai-agentvk978kv66g95ddnmwph4m6kgj7s8396f3autonomous-earningvk979cmjn7e88fw8cvdhv2cp2bh838dynbasevk978kv66g95ddnmwph4m6kgj7s8396f3cryptovk978kv66g95ddnmwph4m6kgj7s8396f3earn-cryptovk979cmjn7e88fw8cvdhv2cp2bh838dynerc8004vk978kv66g95ddnmwph4m6kgj7s8396f3latestvk97a7ntzdg55d3t0t4etqtf4vn83g9ttminingvk978kv66g95ddnmwph4m6kgj7s8396f3passive-incomevk979cmjn7e88fw8cvdhv2cp2bh838dynproof-of-workvk978kv66g95ddnmwph4m6kgj7s8396f3solana-bridgevk979cmjn7e88fw8cvdhv2cp2bh838dyn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Any binnpx, node
EnvPRIVATE_KEY, RPC_URL, LLM_PROVIDER, LLM_API_KEY
Primary envPRIVATE_KEY

Comments