Skillv0.2.0

ClawScan security

Bitkit Cli · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 22, 2026, 10:17 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally coherent: it documents and requires the bitkit CLI, its runtime behavior and install mechanism match the documentation, and it does not request unrelated credentials or privileged platform access — but it exposes sensitive wallet functionality (seed, daemon API, webhooks) that you should treat carefully.
Guidance: This skill appears to be what it claims (a bitkit CLI wrapper) and the install script downloads releases from GitHub with checksum checks. Before installing or invoking it, consider the following: - Only install/run if you trust the upstream project and the agent invoking it. The skill creates an on-host, self-custodial Bitcoin wallet and daemon — that means private keys/seed phrases and an API password will be stored on-disk (default ~/.bitkit). Treat those as high-value secrets. - The SKILL.md encourages `--no-password` (plaintext seed) for automation. Do not use `--no-password` on any machine you do not fully control. If you must automate, isolate the agent in a dedicated, network-restricted environment and limit filesystem access. - The daemon exposes an HTTP API and websocket events and writes an api-password file. Ensure the daemon is bound only to localhost unless you intentionally want remote access, and protect the api-password file (0600). Review and control any webhook_url you configure — webhooks post event data and could leak metadata or payment events to remote endpoints. - The install script uses a curl|sh pattern to fetch a tarball from GitHub releases; it attempts to verify checksums locally. Prefer reviewing the install.sh and the GitHub release (tag) manually before running, and ensure your system has sha256sum/shasum to enable verification. - If you simply want to test functionality, use regtest or a disposable environment rather than mainnet. Confirm wallet_dir permissions and back up any recovery info you intend to keep. If you want a deeper check: provide the specific GitHub release tag or upstream repository contents (to confirm authenticity), or run the install script in an isolated container and inspect the extracted binary and checksums before moving it into system PATH.

Review Dimensions

Purpose & Capability: okName/description (Bitcoin Lightning CLI for agents) aligns with the files and runtime instructions. The skill only requires the 'bitkit' binary and the SKILL.md and README describe using that binary; there are no unrelated environment variables or credentials declared. The one minor metadata inconsistency: the registry metadata lists no homepage while SKILL.md includes a GitHub homepage URL, but this does not affect capability alignment.
Instruction Scope: noteSKILL.md instructs the agent to run `bitkit` commands (init, start, invoice, pay, etc.) and to use daemon mode and webhooks. Those instructions stay within the stated purpose, but they also create and manage sensitive local state: seed_phrase/seed.enc, an auto-generated daemon API password (api-password file), and config/webhook settings that can POST events off-host. The docs explicitly recommend `--no-password` for agent automation (i.e., storing seed plaintext) — this is a functional choice but a high-risk one if the host or agent is not fully trusted.
Install Mechanism: okinstall.sh downloads release archives from GitHub Releases (synonymdev/bitkit-cli) and verifies checksums via checksums.sha256 when a local verifier exists. This is a standard install pattern and uses a well-known release host. The script uses curl and extracts a tarball into /usr/local/bin or ~/.local/bin; it warns if checksum verification tools are missing. Note: piping remote scripts to sh is common but carries the usual risk; the script does perform checksum verification where possible.
Credentials: noteThe skill declares no required environment variables or credentials — appropriate for a CLI wrapper. The documentation references reasonable env vars (BITKIT_DIR, BITKIT_NETWORK, BITKIT_PASSWORD, BITKIT_LISTEN). No unrelated secrets are requested. However the runtime behavior will create sensitive artifacts (wallet seed, API password file, config with webhook_url) which are proportionate to a self-custodial wallet but must be treated as high-value secrets.
Persistence & Privilege: okThe skill does not request 'always: true' and uses the platform-default ability for autonomous invocation. It will write persistent wallet and daemon files under ~/.bitkit (or BITKIT_DIR) and may run a background daemon that exposes an HTTP API and websocket/events endpoint — this is expected for the functionality. There is no evidence it tries to modify other skills or system-wide agent settings beyond installing its own binary into standard locations.