ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

ClawRTC

v1.5.0

Mine RustChain RTC tokens on real x86/ARM or vintage hardware by proving physical device control with ClawRTC mining client.

9· 725·2 current·2 all-time
byAutoJanitor@scottcjn
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The code implements a RustChain miner and hardware-fingerprint checks which match the skill description, so purpose and capability mostly align. However the optional Coinbase integration expects CDP API credentials via environment variables (CDP_API_KEY_NAME, CDP_API_KEY_PRIVATE_KEY) but the registry metadata lists no required env vars or primary credential. Also multiple repository/explorer URLs in README/SKILL.md differ (hostname, IP, bottube.ai), and the package owner/registry homepage is blank — these metadata mismatches reduce trust.
!
Instruction Scope
SKILL.md describes the attestation payload as limited (CPU model, clock variance, cache profile, VM flags, wallet name). The actual miner attestation transmits MAC addresses, hostname, fingerprint_data (including sample previews / entropy stats) and device fields — more identifying information than the SKILL.md explicitly lists. The CLI and miner read many system paths and run commands (lscpu, ip/ifconfig, free, /proc files, sysctl), which is expected for hardware fingerprinting but broader than the simple summary in the docs. The coinbase flow requires environment secrets (checked at runtime) that were not declared in registry metadata.
Install Mechanism
This is an instruction-and-package distribution intended to be installed via pip (no additional install spec in registry). There are no external downloads at runtime claimed; bundled miner scripts are installed from the package. That is proportionate for a Python miner. The miner does perform network calls to a node URL (bulbous-bouffant.metalseed.net) during operation; there is no code-obfuscation or remote archive extraction in the package itself.
!
Credentials
The package does not declare required environment variables in the registry, yet coinbase_wallet.py reads CDP_API_KEY_NAME and CDP_API_KEY_PRIVATE_KEY for auto wallet creation. The miner also reads standard environment keys to detect containerization (KUBERNETES, DOCKER, VIRTUAL) and writes wallet/config files to ~/.clawrtc. Asking for CDP private key material is sensitive and should be declared explicitly; omission is a red flag.
Persistence & Privilege
The tool creates a directory in the user's home (~/.clawrtc), a Python venv, saves wallet and coinbase files, and (per README/CLI hints) can create a user background service if requested. 'always' is false and autonomous invocation is default platform behavior. This level of persistence and privilege is expected for a miner but the user should be aware files and services will be added to their home directory and optionally a user service manager.
What to consider before installing
This package contains genuine miner code, but be cautious before installing. Things to check: 1) The coinbase auto-create path expects CDP_API_KEY_NAME and CDP_API_KEY_PRIVATE_KEY environment variables (sensitive private key material) yet the skill metadata does not declare them — do not set private keys unless you trust the maintainer. 2) The runtime attestation transmits MAC addresses, hostname and fingerprint samples (potentially identifying); SKILL.md understates what is sent. If you care about privacy, run in an isolated test machine (not your primary machine) and use the --dry-run and --verify options first. 3) Verify the node endpoints (NODE_URL) and repository sources independently — node hostnames/IPs in README/skill differ and may be untrusted. 4) Inspect ~/.clawrtc after installation and avoid enabling background service unless you accept persistent miner behavior. 5) Prefer installing from a verified source (official PyPI page or a cryptographically signed release on GitHub) and review the maintainer identity/contact. If you want to proceed, consider using a sacrificial/air-gapped or VM host (not one with sensitive data) and do not export private keys into environment variables unless you fully trust the code and operator.

Like a lobster shell, security has layers — review code before you run it.

coinbasevk976fmjp24jyqtj7anbtvmhbas81fq2zlatestvk976fmjp24jyqtj7anbtvmhbas81fq2zwalletvk976fmjp24jyqtj7anbtvmhbas81fq2zx402vk976fmjp24jyqtj7anbtvmhbas81fq2z
725downloads
9stars
4versions
Updated 6h ago
v1.5.0
MIT-0
AutoJanitor@scottcjn
coinbaselatestwalletx402
Download

ClawRTC

Mine RTC tokens with your AI agent using Proof-of-Antiquity consensus.

What It Does

  • One-command setup: pip install clawrtc && clawrtc install --wallet my-agent
  • Hardware fingerprinting: 6 cryptographic checks prove your machine is real (clock drift, cache timing, SIMD identity, thermal entropy, instruction jitter, anti-emulation)
  • Automatic attestation: Attests to the RustChain network every few minutes
  • Per-epoch rewards: RTC tokens accumulate in your wallet each epoch (~10 minutes)
  • VM detection: Virtual machines are detected and receive effectively zero rewards

Security

  • No post-install telemetry — no network calls during pip install
  • TLS verification enabled — all RustChain API calls verify SSL certificates (CA-signed)
  • Bundled code only — all miner scripts ship with the package, no external downloads
  • Consent required — interactive approval prompt before installation
  • Dry-run modeclawrtc install --dry-run previews without installing
  • Hash verificationclawrtc install --verify shows SHA256 of all bundled files
  • Clean uninstallclawrtc uninstall removes all files, services, and configs
  • No background service by default — must explicitly pass --service to enable
  • Source available — full source at https://github.com/Scottcjn/Rustchain (MIT)

What Data Is Sent

During attestation (when mining), the following is sent to the RustChain node:

  • CPU model name and architecture (e.g. "AMD Ryzen 5", "x86_64")
  • Clock timing variance (proves real oscillator)
  • Cache latency profile (proves real L1/L2/L3 hierarchy)
  • VM detection flags (hypervisor yes/no)
  • Wallet name (your chosen identifier)

NOT sent: file contents, browsing history, credentials, IP geolocation, personal data.

Install

pip install clawrtc

Usage

# Install miner + configure wallet
clawrtc install --wallet my-agent

# Start mining (foreground)
clawrtc start

# Check status
clawrtc status

# View logs
clawrtc logs

# Stop mining
clawrtc stop

# Clean uninstall
clawrtc uninstall

Multipliers

HardwareMultiplier
Modern x86/ARM1.0x
Apple Silicon (M1-M3)1.2x
PowerPC G52.0x
PowerPC G42.5x
VM/Emulator~0x (detected and penalized)

Coinbase Wallet (v1.5.0)

# Create a Coinbase Base wallet
pip install clawrtc[coinbase]
clawrtc wallet coinbase create

# Show wallet info
clawrtc wallet coinbase show

# Link existing Base address
clawrtc wallet coinbase link 0xYourBaseAddress

# USDC → wRTC swap guide
clawrtc wallet coinbase swap-info

Requires CDP credentials from portal.cdp.coinbase.com for auto-creation. Manual linking works without credentials.

Links

Comments

Loading comments...