ClawHub

Bitkit Cli

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Bitkit wallet skill, but it gives agents high-impact control over real Bitcoin funds with weak default guardrails.

Install only if you intentionally want an agent-accessible self-custodial Bitcoin/Lightning wallet. Use a small isolated wallet, prefer encrypted seed storage over `--no-password`, require human approval for every `pay`, `send`, fee bump, and channel action, set strict amount and fee limits, review any webhook destination, and verify the installer or release before running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The skill presents itself primarily as a payment/wallet capability, but its actual first-step behavior is to install software by downloading and executing remote assets. That mismatch can cause agents or operators to approve the skill under a narrower trust assumption than is actually required, increasing supply-chain and unintended code-execution risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README exposes fund-moving and irreversible commands (`pay`, `send`, channel open/close, fee bumping) in an agent-oriented tool without prominent safety warnings, confirmations, or guidance about the financial consequences. In the context of autonomous agents, this increases the risk that an LLM or workflow will invoke dangerous operations from documentation alone, leading to irreversible loss of bitcoin or channel state changes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The agent-specific quick start recommends `bitkit init --no-password --json`, which implies storing the wallet seed unencrypted, but it does not clearly warn that compromise of the wallet directory would expose spend authority. For an agent-facing wallet skill, encouraging plaintext seed storage materially weakens key protection and makes fund theft much easier in common multi-tool or shared-host environments.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation explicitly recommends `bk init --no-password` and labels plaintext seed storage as suitable 'for agent use' without a strong warning. For a self-custodial Bitcoin wallet, plaintext seed storage means any local compromise, log leak, backup leak, or shared-directory exposure can directly result in irreversible theft of funds.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Piping a remote script directly into `sh` executes unreviewed code fetched at runtime, creating a classic supply-chain and remote code execution risk. If the upstream repository, network path, or referenced branch is compromised, agents may immediately execute attacker-controlled installation logic on the host.

Session Persistence

Medium
Category
Rogue Agent
Content
**Location:** `<wallet_dir>/api-password` (e.g., `~/.bitkit/api-password`)
**Format:** 32 random bytes encoded as 64 hex characters
**Permissions:** File mode `0600` (owner read/write only)

```bash
# Read the password
Confidence
90% confidence
Finding
write only) ```bash # Read the password cat ~/.bitkit/api-password # Use with curl curl -u "bitkit:$(cat ~/.bitkit/api-password)" http://localhost:3457/balance # Use with WebSocket websocat ws://lo

External Script Fetching

Low
Category
Supply Chain
Content
Bitcoin Lightning payment CLI for agents. Lowest LSP fees. Self-custody wallet with LNURL/Lightning Address support, typed exit codes, JSON envelope output, encrypted Pubky messaging, and daemon mode.

**Install:** `curl -sSL https://raw.githubusercontent.com/synonymdev/bitkit-cli/main/install.sh | sh`
**Binary names:** `bitkit` or `bk` (identical alias)
**Always use:** `--json` flag on every invocation for parseable output.
Confidence
97% confidence
Finding
curl -sSL https://raw.githubusercontent.com/synonymdev/bitkit-cli/main/install.sh | sh

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal