ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawNetwork Node

v1.1.0

Earn CLAW by running a 20MB blockchain node. Your OpenClaw agent becomes a miner — 4 min setup, zero cost. Built for OpenClaw and all AI agents.

0· 101·0 current·0 all-time
byludis@flute
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description claim you can 'run a 20MB blockchain node' and 'become a miner' with a 4-minute setup, but there is no install spec, no declared required binaries, and no instructions for downloading, installing, or running node software. That claim is not supported by the provided instructions.
!
Instruction Scope
SKILL.md exposes plugin operations (status, balance, transfer, faucet, register, service operations) which is consistent with a remote plugin, but it also suggests running a local command ('openclaw clawnetwork start') if the node is offline while not declaring that 'openclaw' is required or how it is provided. The doc lacks detail about where private keys live, how transfers are signed, and what running a 'miner' entails.
Install Mechanism
No install spec and no code files — lowest-risk format for distribution. However, the skill's marketing of an on-agent miner/setup implies software would be installed or run; that contradiction is notable even though no installer is present.
!
Credentials
The skill declares no required env vars or credentials, yet it supports transferring tokens and registering agent identity. It is unclear where signing keys/wallets are stored or whether the platform will prompt for credentials. Lack of declared primary credential or explanation of key management is disproportionate for a coin-transfer capability.
Persistence & Privilege
always is false and there is no evident attempt to persist or modify other skills or system-wide settings. Autonomous invocation is allowed (default), which is normal; nothing indicates excessive privilege here.
What to consider before installing
This skill is ambiguous: it promises a local 'miner' and quick setup but provides no install instructions, and it offers token-transfer operations without explaining where wallet keys live or how transactions are signed. Before installing/using: (1) verify the skill's source and publisher (there's no homepage and the owner ID is opaque); (2) ask the publisher how the node is started (is an 'openclaw' CLI required?) and whether any binaries will be downloaded or run; (3) confirm how private keys are managed and whether the platform will require you to provide sensitive credentials — never paste private keys into a skill; (4) test on testnet only (use the faucet) and require explicit user confirmation for transfers; (5) run any node/mining components in an isolated environment (VM/container) until you trust the code. If the publisher cannot clarify the missing pieces (install steps, binary requirements, key management), treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk976ymj1adhrewempnzfyt40z184j5y1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments