Skill Trust Decision
aibtc
The skill downloads and executes untrusted remote npm code via npx with no version pinning or hash verification, while the SKILL.md downplays VirusTotal flags as false positives rather than genuine warnings.
Most direct threat evidence
01
User installs skill via SKILL.md instructions (npx clawhub install aibtc) Entry · SKILL.md
02
User runs 'aibtc run <BSC address>' which triggers handler.js Escalation · handler.js
03
handler.js spawns 'npx --yes aibtc-worker <address>' which downloads and executes arbitrary remote npm package code Escalation · handler.js
Why this conclusion was reached
2/4 dimensions flagged Block
Declared vs actual capability
3 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
4 lower-risk artifacts were extracted and still need context.
Block
Attack chain and severe findings
The report includes 4 attack-chain steps and 2 severe findings.
Pass
Dependencies and supply chain hygiene
Dependencies are present but no obvious high-risk issue stands out.
Attack Chain
01
User installs skill via SKILL.md instructions (npx clawhub install aibtc)
Entry · SKILL.md:24
02
User runs 'aibtc run <BSC address>' which triggers handler.js
Escalation · handler.js:14
03
handler.js spawns 'npx --yes aibtc-worker <address>' which downloads and executes arbitrary remote npm package code
Escalation · handler.js:33
04
Malicious npm package maintainer (or typosquatter) replaces 'aibtc-worker' with code that harvests BSC private keys, wallet credentials, or exfiltrates system data
Impact · N/A
What drove the risk score up
Remote code execution via unpinned npx +35
handler.js spawns 'npx --yes aibtc-worker' with no version pin, no hash verification, and no lockfile — executes arbitrary remote code from npm registry
Undeclared shell execution +15
Uses spawn() and execSync() for shell operations; shell:WRITE capability not declared in capability model mapping
Security warning dismissal +10
SKILL.md explicitly dismisses VirusTotal flags as false positives, which is a known social engineering technique used by malware authors
State file persistence +8
Writes worker state to aibtc-worker.json in current directory, allowing process tracking across invocations
Most important evidence
High Supply Chain
Unpinned Remote Code Execution via npx
handler.js spawns 'npx --yes aibtc-worker' with no version pin, tag, or hash. This downloads and executes arbitrary code from the npm registry, which can be updated at any time to inject malicious code.
handler.js:33 Remove this skill immediately. Remote code execution via unpinned npm packages is a critical supply chain risk. If a mining tool is truly needed, download and audit the binary/source code with pinned hash verification.
High Doc Mismatch
SKILL.md Disclaims Security Warnings Instead of Addressing Them
The disclaimer section explicitly tells users that VirusTotal flags are false positives due to npx behavior. This is a known social engineering pattern where malware authors preemptively warn against security tools to reduce scrutiny.
SKILL.md:41 Legitimate open-source projects do not include pre-emptive VirusTotal disclaimers in skill documentation. This pattern is used to discourage users from investigating security concerns.
Medium Sensitive Access
Undeclared Shell Execution via execSync
handler.js uses execSync to run 'ps aux | grep aibtc-worker' to detect running processes. This shell execution is not declared in SKILL.md's capability section and requires shell:WRITE access.
handler.js:65 Declare shell execution capabilities in SKILL.md and document why process detection requires grep rather than using Node.js process management APIs.
Medium Supply Chain
No Dependency Pinning or Hash Verification
The skill relies on 'aibtc-worker' from npm with no version, tag, or commit hash specified. The package can be updated, replaced with typosquatted variants, or compromised at any time.
handler.js:33 If the package must be used, pin to a specific version (e.g., [email protected]) and verify the package integrity with npm audit and checksums.
Declared capability vs actual capability
Shell Block
Declared NONE
→ Inferred WRITE
handler.js:33 spawn() executes npx commands; handler.js:65 execSync() runs ps/grep Filesystem Block
Declared NONE
→ Inferred WRITE
handler.js:40 writeFileSync(); handler.js:52 readFileSync(); handler.js:59 unlinkSync() Network Block
Declared NONE
→ Inferred READ
npx --yes aibtc-worker fetches and executes remote npm package Suspicious artifacts and egress
Medium External URL
https://aibtc.work SKILL.md:17
Medium External URL
https://x.com/aibtc_ SKILL.md:18
Medium External URL
https://t.me/aibtcchat SKILL.md:19
Medium External URL
https://t.me/aibtc_ann SKILL.md:20
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| aibtc-worker | unpinned (latest) | npm | No | No version, tag, or hash specified. Package fetched and executed blindly. |
File composition
3 files · 193 lines
JavaScript 1 files · 97 linesMarkdown 1 files · 89 linesJSON 1 files · 7 lines
Files of concern · 2
SKILL.md SKILL.md Disclaims Security Warnings Instead of Addressing Them · https://aibtc.work · https://x.com/aibtc_ · https://t.me/aibtcchat · https://t.me/aibtc_ann
handler.js Unpinned Remote Code Execution via npx · Undeclared Shell Execution via execSync · No Dependency Pinning or Hash Verification
Other files · _meta.json
Security positives
Source code is claimed to be open-source at github.com/aibtcwork/AIBTC-worker, allowing independent audit (though the remote npm execution negates this trust signal)
No obvious credential harvesting code visible in handler.js
State file operations are scoped to a local JSON file