Get a clank.money Human Bitcoin Address
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s purpose is coherent, but its example can leave a powerful address-management token in temporary files or command arguments, which could let someone change where future payments go.
Install or use this only if you trust clank.money and understand that the management token controls future updates to the address. Before running the Bash example, modify it to protect and delete temporary files, keep the token backed up securely, and double-check that the BIP-321 URI points to your intended wallet or offer.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the examples can register or change a Bitcoin payment address after the user pays the Lightning invoice.
The skill documents raw API calls that create and update a clank.money registration. This is expected for the stated purpose, but it is still a high-impact account/payment-address mutation path.
curl -sS -X POST "$BASE/api/v1/registrations" ... curl -sS -X PATCH "https://clank.money/api/v1/registrations/$USERNAME"
Review the username, invoice, and BIP-321 URI carefully before executing the POST or PATCH examples.
If another local user or process reads the temporary result file or observes command arguments, they may be able to update the Human Bitcoin Address and redirect future payment instructions.
The managementToken is a bearer credential for future updates. The recommended Bash flow stores the full response containing it in a predictable /tmp file and passes tokens in command-line Authorization headers, while only the copied token file is explicitly chmod 600.
`201` or `202` with `managementToken` ... `> /tmp/clank_register_result.json` ... `MGMT="$(python3 -c '...d.get("managementToken","")')"` ... `-H "Authorization: Bearer $MGMT"`Use a private temporary directory or mktemp with restrictive permissions, set umask 077, delete temporary JSON files after use, and avoid exposing Authorization secrets in command-line arguments where possible.