Mine RTC tokens by proving your hardware's authenticity with cryptographic checks and automated RustChain network attestation.
Security Analysis
medium confidenceThe package implements the described miner and hardware fingerprinting, but its runtime behavior and documentation make misleading privacy claims (it transmits MACs/hostnames and timing samples to an external node) and it sends fairly identifying data to an externally-hosted endpoint — the combination warrants caution.
Code implements the stated purpose: local fingerprinting, attestation, and periodic HTTP calls to a RustChain node to earn tokens. Commands run (lscpu, nproc, ip/ifconfig, sysctl) and filesystem reads (/proc, /sys) are consistent with hardware fingerprinting and VM detection.
SKILL.md claims 'No post-install telemetry' and 'No personal data sent', but the miner code sends MAC addresses, hostname, timing entropy samples, CPU model, and other fingerprint data to NODE_URL (/attest/*). Network-level metadata (your IP) will also be visible to the node. The README and SKILL.md also reference different endpoints (IP vs domain), which is inconsistent and should be clarified.
There is no special install spec in the registry; installation is via pip (as the SKILL.md instructs). The package bundles miner scripts (no external downloads during install), creates a venv, and installs dependencies (requests, cryptography). This is expected for a Python miner; installing dependencies will cause normal network activity via pip.
The skill declares no required environment variables, but optional Coinbase wallet functionality depends on CDP_API_KEY_NAME and CDP_API_KEY_PRIVATE_KEY. The miner reads many system files and environment keys (KUBERNETES, DOCKER, VIRTUAL, container) for VM detection and collects MAC addresses and hostname — these are identifying and arguably 'personal' data despite SKILL.md claiming otherwise.
always:false and background service is opt-in ('--service'). The installer writes to the user home (~/.clawrtc), creates a venv and can install a per-user systemd/LaunchAgent service if requested. It does not request elevated or system-wide privileges by default, but it does create persistent files/services in the user account.
Guidance
This package largely does what it describes (hardware fingerprinting + attestation) but makes misleading privacy statements. Before installing: 1) Treat MAC addresses, hostname, and timing samples as identifying data — the miner sends them to an external node (NODE_URL) and the node will observe your IP. 2) Use --dry-run and --verify to inspect hashes and behavior first. 3) Inspect the upstream source (the GitHub repo referenced) and confirm the node domain/IP are legitimate. 4) If you value privacy, run it in an isolated environment (air-gapped or disposable VM/container) and do not enable persistent service or automatic enrollment. 5) If using Coinbase wallet features, protect CDP credentials (they are optional but sensitive). 6) If you allow the agent to invoke skills autonomously, be aware this skill has network access and will periodically call the external attestation endpoint — limit autonomous invocation or monitor network calls. If you need full assurance, do not install until the node/operator identity and data retention/policy are verified.
Latest Release
v1.5.0
ClawRTC 1.5.0 introduces native Coinbase Base wallet support and security enhancements. - New: Coinbase wallet support—create, link, and manage Base addresses directly from the CLI. - New: USDC to wRTC swap guide for on-chain integration. - Security: Explicit details on what data is (and is not) sent during attestation. - Security: Hash verification and dry-run mode for transparent installs. - Privacy: No post-install telemetry and explicit consent prompt before installing. - Docs: Expanded setup, usage, and hardware multiplier descriptions.
More by @Scottcjn
Published by @Scottcjn on ClawHub
