BitNote
WarnAudited by ClawScan on May 10, 2026.
Overview
BitNote is coherent for encrypted on-chain memory, but it handles a passphrase that unlocks private key material and can broadcast blockchain writes despite metadata declaring no credentials or environment needs.
Install only if you intentionally want an agent to use BitNote account authority. Start with a throwaway account, keep the passphrase out of chat/logs, run dry-runs first, approve every real write/share, and avoid storing irreplaceable secrets unless you accept permanent encrypted on-chain storage.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a real BitNote account, the agent can unlock key material, spend gas, and mutate that account's on-chain notes.
This is explicit credential/private-key-related authority. The registry metadata says there is no primary credential and no required env var, so a user may not see the privilege boundary before reading the full skill.
`BITNOTE_PASSPHRASE` (**required** for write/share operations) ... `scripts/writeBitnoteUiCompat.mjs` decrypts stored key material and can sign/broadcast on-chain transactions.
Use a throwaway or minimally funded account first, keep the passphrase in a secret manager, require human approval for every non-dry-run write, and declare the passphrase/credential requirement in metadata.
A mistaken or automated non-dry-run invocation can publish an encrypted note and incur blockchain fees.
The script defaults to a real transaction unless `--dry-run 1` is supplied. This is purpose-aligned and documented, but it is a high-impact action that costs gas and writes on-chain.
const dryRun = (arg('dry-run', '0') === '1'); ... const tx = await notes.setUserBytes(noteIndex, noteHex, { gasLimit: (gas * 12n) / 10n });Run dry-run mode first, verify the target username/profile/request-id, and approve each broadcast explicitly.
Secrets or identity instructions stored here may persist long-term and affect future agent behavior; if the passphrase or recipient selection is wrong, sensitive data may be exposed or become unrecoverable.
The skill is designed to create durable agent memory containing highly sensitive material and recovery instructions. That is central to the purpose, but it means future agents may rely on persistent stored context.
Store secrets (API keys, credentials, private keys). ... Recover state after runtime/server failures.
Store only necessary secrets, version and review identity/recovery notes, avoid plaintext secrets, and plan for passphrase rotation and compromise scenarios.
Future installs could resolve a different compatible ethers release than the one the author tested.
The skill depends on an external npm package using a version range. This is expected for Ethereum tooling, but the package is not pinned by a lockfile in the provided artifacts.
"dependencies": { "ethers": "^6.16.0" }Install in an isolated environment and prefer a lockfile or pinned dependency version for repeatable use.