Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Blink Wallet
v1.7.1Bitcoin Lightning wallet for agents — balances, invoices, payments, BTC/USD swaps, QR codes, price conversion, transaction history, and L402 auto-pay client...
⭐ 0· 52·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Blink Lightning wallet) match the requested binary (node), the single required env var (BLINK_API_KEY), the optional Blink URLs, and the included scripts that implement wallet, invoice, payment, swap, L402, QR, and budget features.
Instruction Scope
Runtime instructions and scripts perform wallet operations and explicitly list filesystem reads/writes (scan of shell rc files to find BLINK_API_KEY, writing ~/.blink files, writing QR PNGs to /tmp). Reading rc files is narrowly scoped (regex for BLINK_API_KEY), but it does access user profile files and writes persistent token/config files under ~/.blink.
Install Mechanism
There is no network install step or third-party package download; the repo contains self-contained Node.js scripts that use only built-in modules. No suspicious external installers or arbitrary URL downloads are present.
Credentials
Only BLINK_API_KEY is required (primary credential) and optional env vars relate to L402 root key, budget, and alternative endpoints — these are relevant to the skill. The code will try to auto-detect BLINK_API_KEY by scanning shell rc files (only to extract that single token). It also persists secrets/caches (L402 root key, L402 token cache) to ~/.blink, which is reasonable for auto-pay but worth user awareness.
Persistence & Privilege
Skill is not always-enabled; it stores persistent files under ~/.blink (budget.json, spending-log.json, l402-root-key, l402-tokens.json) and writes temporary PNGs to /tmp. These files are scoped to the user's home directory and appear necessary for budget, token caching, and L402 functionality — but they are persistent credentials/cache that the user should manage (file permissions are set where possible).
Assessment
This skill appears to do exactly what it claims: operate a Blink custodial Lightning wallet via the Blink API. Before installing: 1) Be prepared to provide BLINK_API_KEY with appropriate scopes (start read/receive only; grant Write only when you intend to send payments). 2) Note the skill will try to read your shell rc files (~/.profile, ~/.bashrc, ~/.bash_profile, ~/.zshrc) only to locate a BLINK_API_KEY export if not in the environment — remove other secrets from those files if you prefer not to have them scanned. 3) The skill creates and persists files under ~/.blink (budget config, spending log, L402 root key, L402 token cache) and writes temporary QR PNGs to /tmp; if you don't want an auto-generated L402 root key stored, set BLINK_L402_ROOT_KEY yourself. 4) The scripts contact api.blink.sv (or BLINK_API_URL/BLINK_WS_URL overrides) and will send X-API-KEY to that endpoint only. 5) Run first against the staging/test environment (BLINK_API_URL) and configure BLINK_BUDGET_* or BLINK_L402_ALLOWED_DOMAINS to limit automated spending. 6) If you need stronger isolation, review the included scripts locally before enabling the skill, or run them in a restricted environment. Overall the package is internally consistent with its stated purpose.scripts/_blink_client.js:27
Environment variable access combined with network send.
scripts/_blink_client.js:60
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970g69ebhsxt9nedtf8jweftn84dxvm
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
⚡ Clawdis
Binsnode
EnvBLINK_API_KEY
Primary envBLINK_API_KEY