ClawHub

Nostr Wallet Connect (NWC) bridge for mdk-agent-wallet, which is self-custodial Bitcoin Lightning wallet for AI agents.

Security checks across malware telemetry and agentic risk

Overview

This is a real wallet bridge, but it can expose Bitcoin Lightning spending authority more broadly than users may expect.

Review carefully before installing. Use only with a small isolated wallet, keep NWC_AUTO_REGISTER disabled, protect state.json and logs, avoid sharing generated NWC URIs, and do not rely on receive-only or send-only separation until the code enforces allow_methods before payment execution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
When NWC_AUTO_REGISTER is enabled, any remote Nostr pubkey that sends a request to the wallet service can be persisted as an authorized connection without going through the explicit provisioning flow. In a wallet bridge, that materially weakens the trust boundary and can expose balance queries, invoice creation, and potentially spending to arbitrary remote clients depending on configuration and defaults.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes a local wallet as a Nostr Wallet Connect service capable of handling invoice creation and payment requests, but the description does not prominently warn users that enabling it creates a remotely reachable payment-processing interface. In this context, weak warning language is dangerous because users may deploy it as a background systemd service without understanding that misconfiguration, overbroad permissions, or leaked connection secrets could enable unauthorized spending.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The wallet service secret key is stored in plaintext JSON on disk, and the code does not enforce restrictive filesystem permissions or provide operational safeguards at write time. If the state file is readable by other local users, backed up insecurely, or exposed via misconfiguration, an attacker can impersonate the wallet service and handle or forge NWC traffic.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This code path silently changes authorization state by adding previously unknown remote clients to the trusted connections list based only on incoming traffic when an environment flag is set. For a wallet-exposing service, implicit trust enrollment is dangerous because it can grant remote parties ongoing access without deliberate operator approval.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal