Skillv1.0.5

ClawScan security

AI-native Bitcoin payments. Buy, sell, send, and request Bitcoin directly through any existing messenger app (Telegram, WhatsApp, Signal, Email) or create your own email accounts to start messaging via email. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 14, 2026, 6:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions broadly match a Bitcoin-in-messenger payment service, but there are multiple concerning signals (prompt-injection markers, secret-handling instructions, and autonomous recurring checks) that warrant careful review before installation.
Guidance: This skill generally does what it claims (create Bit-Chat mailboxes, obtain Lightning addresses, send/request BTC via messengers and email) but has behaviors you should deliberately approve and monitor: 1) It will create mailboxes and require persisting passwords — ensure your agent uses a secure secret store (OS keychain, team vault) rather than leaving secrets in chat or in plain files. 2) It instructs periodic polling of the mail endpoint and external messaging channels — limit or review scheduling and network permissions so the agent cannot run unchecked. 3) The SKILL.md contains unicode control characters (possible obfuscation); inspect the raw files for hidden content before trusting them. 4) Verify the external endpoints and operator identity (mail.bit-chat.me, bit-chat.me, the Telegram bot, and the listed WhatsApp/Signal contacts) independently (WHOIS, TLS certs, contact verification) before provisioning funds or automating payments. 5) Test the skill in a sandboxed agent with small value transactions and human-in-the-loop approval for any outgoing payment. If you cannot verify the service and operator, or if you cannot ensure secure secret storage and strict approval controls, do not enable this skill for production use.
Findings: [unicode-control-chars] unexpected: Unicode control characters (invisible/formatting characters) are not expected for a payment/integration skill. They can be used to obfuscate text or attempt prompt-injection; this increases risk and should be investigated (inspect raw SKILL.md for hidden characters).

Review Dimensions

Purpose & Capability: noteThe name/description (AI-native Bitcoin payments via Bit-Chat) aligns with the instructions (create a Bit-Chat mailbox, obtain a Lightning address, send/request BTC via email/Telegram/WhatsApp/Signal). It is plausible for an instruction-only skill to rely on existing messenger and mail connectors rather than declared env vars. Note: the skill expects network access, ability to send messages and create mailboxes via https://mail.bit-chat.me/register-user.php, and to persist credentials locally — capabilities that are not explicitly declared but are required for its operation.
Instruction Scope: concernThe SKILL.md tells the agent to create accounts, store mailbox passwords to disk or a secret store, check IMAP mail regularly (mail.bit-chat.me), contact external bots/phone numbers, and automatically forward Lightning addresses to a human. It also instructs periodic polling (heartbeat every hour or 10–15 minutes while active). These behaviors are within the stated purpose but expand the agent's activity surface (credential creation/storage, frequent external polling, and automated forwarding). Additionally, a pre-scan found unicode-control-chars in SKILL.md, which can be used for obfuscation or prompt-injection — this is unexpected for a payments skill and raises concern.
Install Mechanism: okInstruction-only skill with no install spec or code files — lowest install risk because nothing is written to disk by the package itself. The skill relies on networked endpoints and existing platform connectors rather than installing third-party code.
Credentials: noteThe skill does not request environment variables or keys, which is consistent if it expects the agent's existing messenger/email integrations to handle credentials. However, it instructs creation and local persistence of mailbox passwords and other secrets (recommended .agent-secrets JSON), so it will cause the agent environment to store new sensitive credentials. Users should verify that secret storage is secure and that the agent is authorized to manage financial rails and credentials.
Persistence & Privilege: notealways:false (not force-included) and normal autonomous invocation allowed. The skill's instructions include recurring heartbeat checks and frequent polling, which—when combined with an agent that can invoke skills autonomously—could produce sustained network activity and ongoing access to funds/addresses. That is not forbidden, but users should be aware and control scheduling/permissions.