Bitkit Cli
WarnAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Bitcoin/Lightning wallet skill, but it gives agents real-money spending authority and encourages unencrypted wallet seed handling.
Install only if you intend to give an agent access to a self-custody Bitcoin/Lightning wallet. Start with regtest or a low-balance wallet, encrypt the seed if possible, never paste or log the seed phrase, pin the installer/binary version, and require explicit approval for every action that spends funds or changes channels.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent follows a bad instruction or makes a mistake, it could send Bitcoin/Lightning funds or incur fees in ways that are difficult or impossible to reverse.
The skill exposes real-money payment execution to agents on mainnet, and the provided instructions do not define required human confirmation, spending limits, or a safe default such as regtest.
Quick Start: `bk pay lnbc50u1p... --json`; Global Flags: `--network <net>` default `mainnet`.
Use only an isolated, low-balance wallet; require explicit user approval for every payment, withdrawal, channel close, or fee-bump; set amount and fee caps; test on regtest first.
A seed phrase stored in plaintext or captured in agent logs/context can let anyone drain the wallet.
The docs recommend a no-password agent wallet and show the seed phrase being returned in JSON output, which can expose the private key material controlling the wallet.
`# 1. Create wallet (no encryption for agent use)` / `bk init --no-password --json`; the `init` JSON example includes `"seed_phrase"`.
Prefer encrypted seeds, avoid exposing seed phrases to the agent transcript or logs, store credentials outside shared context, and keep only limited funds in any agent-controlled wallet.
Installing later or from a compromised release could place a different wallet binary on the system.
The installer fetches and installs the latest release binary from GitHub. It verifies a checksum file from the same release, but the installed version is not pinned in the skill artifacts.
`tag="$(curl ... https://github.com/${REPO}/releases/latest ...)"`; `curl -sSL "${base_url}/${archive}"`; `install -m 755 "${dir}/bitkit" ...`Inspect the installer, pin a reviewed release version and checksum, and avoid using unreviewed binaries for wallets holding meaningful funds.
The wallet service may keep running after the immediate task and remain able to process wallet commands until stopped.
The skill intentionally supports a background daemon and automatic proxying through its local HTTP API. This is disclosed and purpose-aligned, but it is persistent wallet-related behavior.
`Start a persistent daemon for instant execution` ... `bk start --json` ... `all commands automatically proxy through its HTTP API`.
Run `bk status` and `bk stop` when finished, protect the API password, and do not expose the daemon port beyond the local machine.
Configured endpoints can receive sensitive payment and channel metadata.
The wallet can send payment/channel event data to a configured webhook or WebSocket. The docs disclose HMAC and Basic Auth controls, so this is a purpose-aligned data-flow note.
`webhook_url = "https://your-agent.example.com/webhook"`; Events: `payment_received`, `payment_sent`, `payment_failed`, `channel_ready`, `channel_closed`; `ws://localhost:3457/events` with Basic Auth.
Only configure trusted HTTPS webhook endpoints, use strong secrets, rotate them if exposed, and avoid forwarding wallet events to shared or untrusted agents.