ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

DePIN Fleet Monitor

v1.0.2

Monitor and track health, earnings, uptime, and alerts for MastChain, Mysterium, WingBits, Acurast, and NeutroneX DePIN nodes in a unified dashboard.

0· 51·0 current·0 all-time
by@wallieminer1-alt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (DePIN fleet monitoring) align with the code: modules query MastChain, Mysterium, WingBits, Acurast, NeutroneX APIs, ping nodes, compute earnings, and persist history/alerts. Default wallet strings are present as placeholders but are plausible for display; no unrelated cloud credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md instructs the user to place a fleet-config.json at ~/.openclaw/workspace/config/fleet-config.json and enable the skill — the code reads/writes files at that path and under ~/.openclaw/workspace/skills/depin-fleet-monitor/data. Runtime actions in the instructions (periodic checks, alerts, Telegram mention) match the code. The code performs network calls only to configured node IPs and a few public endpoints (hub.acurast.com, api.neutronex.io), and uses process.env.HOME only; it does not read extra environment variables or unrelated system configuration.
Install Mechanism
There is no install spec (no external downloads or package installation). However, code files are included and will run when the skill is enabled. No install-time network fetches or archive extraction are present, which lowers supply-chain risk, but enabling will execute included JavaScript in the agent runtime.
Credentials
The skill declares no required environment variables or credentials and only uses HOME to locate config/data. It does not request tokens/secrets. Embedded default wallet addresses are present but are informational; no evidence the skill contacts any unexpected external endpoints to exfiltrate secrets.
Persistence & Privilege
always is false and the skill is user-invocable. It stores data under its own skill directory (~/.openclaw/workspace/skills/depin-fleet-monitor/data) and updates config in the workspace path; it does not modify other skills or system-wide agent settings.
Assessment
This skill appears coherent for monitoring DePIN nodes, but before enabling: (1) review and populate ~/.openclaw/workspace/config/fleet-config.json with only the nodes you control; (2) be aware the skill will ping device IPs and make HTTP(S) requests to those IPs and to hub.acurast.com and api.neutronex.io; (3) it will create and update files under ~/.openclaw/workspace/skills/depin-fleet-monitor/data and the workspace config path; (4) no credentials are required, but if you later enable Telegram or other alert integrations, those will need tokens — only provide them if you trust the skill; (5) if you want extra safety, inspect the included JS files locally and run the skill in a restricted or test environment first.
lib/mastchain.js:92
Shell command execution detected (child_process).
lib/neutronex.js:71
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk970a0ygzphhbnnyvafs0jh2vx83qt28

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments