Scan Report
15 /100
monero-cpu-mining-setup
A practical, step-by-step guide to setting up XMRig for Monero mining on Windows, Linux, and macOS
A pure documentation/guide skill providing Monero CPU mining setup instructions; the pre-scan IOC flags the phrase 'curl | bash' but it appears as a security warning AGAINST that practice, with no actual code execution anywhere.
Safe to install
Skill is safe to use. No scripts, no code, no exfiltration. Only minor concern is that it teaches cryptocurrency mining which may violate some platform policies — consider whether this is an appropriate skill for the platform.
Findings 1 items
| Severity | Finding | Location |
|---|---|---|
| Low | Pre-scan IOC is a false positive Doc Mismatch | SKILL.md:24 |
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem access in any file |
| Network | NONE | NONE | — | No network calls in any file |
| Shell | NONE | NONE | — | No shell execution in any file |
| Environment | NONE | NONE | — | No environment variable access |
| Skill Invoke | NONE | NONE | — | No skill invocation |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | No browser access |
| Database | NONE | NONE | — | No database access |
1 Critical 1 findings
Critical Dangerous Command 危险 Shell 命令
curl | bash SKILL.md:24 File Tree
2 files · 3.8 KB · 121 lines Markdown 1f · 116L
JSON 1f · 5L
├─
package.json
JSON
└─
SKILL.md
Markdown
Security Positives
✓ Skill is purely documentation — no executable code, scripts, or binaries
✓ SKILL.md explicitly warns against using `curl | bash` (anti-pattern caught and flagged)
✓ No environment variable access or credential harvesting
✓ No network calls or data exfiltration
✓ SHA256 checksum verification is recommended for binary downloads
✓ Proper disclaimers about electricity costs, hardware safety, and laptop cooling
✓ Includes legitimate Monero donation/wallet address (not a hidden exfil address)