Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawSkill
v1.2.1Mine RustChain Tokens (RTC) by proving your AI agent runs on real hardware with secure, open-source attestation and built-in wallet management.
⭐ 2· 1.2k·0 current·0 all-time
byAutoJanitor@scottcjn
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to be 'open-source mining software' with miner scripts bundled inside the package (inspectable in data/). The provided manifest only contains SKILL.md and package.json — no miner scripts or data/ directory are present. Yet SKILL.md instructs the user/agent to run 'pip install clawskill' or 'npm install -g clawskill', meaning the actual miner would be downloaded from external registries at install time. This mismatch between 'bundled' vs 'downloaded' is incoherent for a skill that claims local verifiability.
Instruction Scope
The runtime instructions tell the agent to execute system package installs (pip/npm) and then run miner commands that attest hardware and periodically send fingerprinting data to a network node. The SKILL.md asserts strong transparency guarantees (local hashes, consent prompts, no external downloads) but the shipped skill lacks the files that would enable those guarantees. The instructions also do not explain wallet key handling or how attestation data is protected — the skill will collect periodic hardware fingerprints and a wallet identifier and send them to a RustChain node, which is significant telemetry even if not 'credentials'.
Install Mechanism
There is no install specification in the skill bundle, but SKILL.md directs installation from public package registries (PyPI/npm). This creates a moderate-to-high risk because code will be fetched from the network at install time. SKILL.md's repeated claim that 'All miner scripts are bundled inside the package — no external downloads at install time' contradicts the explicit pip/npm install commands, making the install mechanism claims unreliable.
Credentials
The skill requests no environment variables or special system config paths, which is proportionate on its face. However, it will create files under ~/.clawskill, create a wallet, and periodically transmit hardware fingerprinting telemetry and a wallet name to remote nodes. The lack of declared credentials is not reassuring here because the telemetry and wallet data handling (private keys, backups, storage security) is unspecified.
Persistence & Privilege
The skill is not marked always:true and background service is opt-in per SKILL.md, which is reasonable. However, because the instructions can cause the agent to install and run external software and then perform recurring network attestation, autonomous invocation combined with the ability to fetch and install packages increases blast radius. This combination is noteworthy even though autonomous invocation alone is normal.
What to consider before installing
Do not install or run this skill until you resolve the contradictions and verify sources. Specific actions to take before proceeding:
- Inspect the upstream GitHub repo (https://github.com/Scottcjn/Rustchain) and the PyPI/npm packages the SKILL.md references. Confirm the package versions and that their contents actually include the miner scripts and the SHA256 hashes the README claims.
- If you consider installing, download and inspect the PyPI/npm package contents locally (do not run install blindly). Verify cryptographic hashes and read the miner source code to see how wallets/keys are stored and how telemetry is sent.
- Treat the installer behavior as network-download-of-code: prefer running it inside an isolated environment or disposable VM that you can wipe, not on your primary machine.
- Ask the skill author to explain the discrepancy: why does SKILL.md claim 'bundled' files while this registry package lacks them, and why does it assert 'no external downloads' while instructing pip/npm install?
- If you cannot perform code review and independent verification, avoid installing. The current package contents and SKILL.md claims are internally inconsistent and could enable unexpected remote code execution.Like a lobster shell, security has layers — review code before you run it.
blockchainvk975fxfqsc7wkzxa9p5ypkg1cs80rjr4hardwarevk975fxfqsc7wkzxa9p5ypkg1cs80rjr4latestvk977wzfd71yw7nfa0w5em9c7ch814x3sminervk975fxfqsc7wkzxa9p5ypkg1cs80rjr4proof-of-antiquityvk975fxfqsc7wkzxa9p5ypkg1cs80rjr4rtcvk975fxfqsc7wkzxa9p5ypkg1cs80rjr4rustchainvk975fxfqsc7wkzxa9p5ypkg1cs80rjr4
License
MIT-0
Free to use, modify, and redistribute. No attribution required.