📦 Apow Mining — 一键挖矿

v0.4.1

通过 apow-cli 在 Base L2 网络快速启动 AGENT 代币挖矿：自动创建钱包、配置 RPC、设置 LLM、铸造矿机并持续挖矿，全程命令行完成。

0· 167·0 当前·0 累计

by @agentoshi (Agentoshi)

开发工具自动化云服务

下载技能包

最后更新

2026/4/21

安全扫描

VirusTotal

可疑

查看报告

OpenClaw

可疑

medium confidence

The skill's instructions roughly match a miner tool, but there are important inconsistencies and risky behaviors (running unvetted npm code, generating/storing private keys, undocumented env usage) that merit caution.

评估建议

This skill instructs the agent to fetch and run apow-cli from npm/GitHub and to generate and store wallet private keys in plaintext. Before installing or invoking it: 1) Verify the apow-cli package/repo provenance (review the source code and npm package owner); 2) do not let the agent handle your existing private keys or API keys — use a funded throwaway wallet if you must test; 3) prefer to run the npm package yourself in a sandboxed environment first (or inspect the repo) rather than letting t...

详细分析 ▾

ℹ 用途与能力

The name/description (APoW mining via apow-cli) aligns with the runtime instructions to run npx apow-cli and mint/mine. Requiring npx/node is expected. However, the skill asks the agent to generate and persist private keys, clone/run external code from GitHub/npm at runtime, and rely on an x402/ClawRouter stack — these are heavier platform interactions than the metadata declares (no homepage, no install spec), which is surprising and worth questioning.

⚠ 指令范围

The SKILL.md instructs the agent to generate wallets/private keys, capture private keys in plaintext, write .env files, clone repos, and run arbitrary npm packages via npx. It also tells the agent to perform funding checks and minting, which can trigger on‑chain transactions. The allowed-tools metadata omits git despite instructing git clone. These instructions broaden scope to secret handling, code execution from external sources, and financial operations — all high-impact actions for an autonomous agent.

⚠ 安装机制

There is no install spec; the skill relies on npx to fetch and run apow-cli from npm (or git clone the repo). Running npx on an unvetted package or cloning an external repo at runtime is a higher-risk install pattern because arbitrary code will be pulled and executed without an install review or pinned provenance in the skill metadata.

⚠ 凭证需求

The registry metadata lists no required env vars, yet SKILL.md instructs creating and using PRIVATE_KEY, RPC_URL, LLM_API_KEY, and other .env entries. That mismatch is an incoherence. The skill explicitly directs agents to capture and store sensitive secrets (private keys, API keys) in plaintext — a disproportionate privilege for a skill that declared none.

ℹ 持久化与权限

The skill does not request always:true or other elevated platform privileges and is user-invocable (normal). However, because it encourages fetching/ running external packages and handling private keys, an autonomously-invoking agent could perform financial actions or exfiltrate secrets — the combination increases risk even though persistence flags themselves are benign.

安全有层次，运行前请审查代码。

运行时依赖

无特殊依赖

版本

latestv0.4.12026/3/20

Sync canonical APoW skill with Easy Mode/x402 flow, safer RPC guidance, and 5s stale-check docs; no breaking behavior changes.

● 可疑

安装命令

点击复制

官方npx clawhub@latest install apow-mining

镜像加速npx clawhub@latest install apow-mining --registry https://cn.longxiaskill.com

数据来源：ClawHub ↗ · 中文优化：龙虾技能库