bitcoin-mcp
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Bitcoin data MCP integration; users should mainly notice that it runs a PyPI package via uvx and sends Bitcoin query data to an external API service.
This appears safe to install if you trust the upstream bitcoin-mcp package and are comfortable using Satoshi API for Bitcoin lookups. Be cautious with private wallet addresses, raw transactions, invoices, or PSBTs, and consider pinning/reviewing the package for higher-assurance use.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing or testing the server may download and run the current bitcoin-mcp package, and later package changes could affect behavior.
The helper invokes bitcoin-mcp through uvx and indicates the package may be downloaded on first use. The artifacts do not pin a package version, so the runtime server code is supplied by the external package source rather than the reviewed files.
subprocess.run(["uvx", "bitcoin-mcp", "--version"], ...); "not cached yet (will download on first use)"
Use a trusted package source, consider pinning a known-good version, and review the upstream package if you will rely on it for sensitive workflows.
The external service may see the Bitcoin addresses, transaction data, invoices, or PSBTs you ask the agent to analyze.
The skill discloses use of an external API and tools that may process Bitcoin addresses, transaction data, or PSBTs. This is aligned with the purpose, but those queries can reveal financial activity or intent to the API provider.
Backed by the [Satoshi API](https://bitcoinsapi.com). ... Addresses: Balance, UTXO set, transaction history ... PSBT: Security analysis
Avoid submitting wallet data or PSBTs you consider private, or use a self-hosted/private Bitcoin data source if financial privacy is important.