ClawHub

Bitcoin and Tether on Arkade

v1.0.2

Send and receive Bitcoin over Arkade (offchain), onchain (via onboard/offboard), and Lightning. Swap USDC/USDT stablecoins.

3· 1.3k·0 current·0 all-time
by@tiero
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Arkade wallet, Lightning, LendaSwap) align with the included code and declared dependencies (@arkade-os/sdk, @arkade-os/boltz-swap). Required binaries/env/configs are minimal and appropriate for a wallet/skill. There are no extraneous credentials or unrelated tools requested.
Instruction Scope
SKILL.md and the CLI/SDK code instruct the agent to create a local wallet, show addresses, perform on/offboarding, Lightning swaps, and call LendaSwap/Boltz/Arkade server APIs. The instructions do not ask the agent to read unrelated system files or credentials, but do direct the agent to contact external endpoints (default server https://arkade.computer, LendaSwap api, Boltz endpoints) and to persist wallet config locally.
Install Mechanism
There is no install spec in the skill manifest (instruction-only path), but the package includes Node source, package.json and a pnpm lockfile. Dependencies are standard npm packages and appear traceable (not arbitrary HTTP downloads). The CLI dynamically imports @arkade-os/sdk and local built artifacts under dist; runtime will require Node modules to be present or installed by the environment.
!
Credentials
The skill requests no environment variables, which is appropriate. However, it auto-generates and persists the private key in plaintext at ~/.arkade-wallet/config.json (privateKey present in JSON) with file permissions set (0600). Storing private keys unencrypted on disk is sensitive and worth caution. The skill also transmits wallet addresses and swap details to external services (apilendaswap.lendasat.com, arkade.computer, Boltz endpoints) as part of normal operation.
Persistence & Privilege
always:false and the skill does not request elevated platform privileges. It does create and write a persistent config file (~/.arkade-wallet/config.json) containing a plaintext private key and server URL; saving its own config is expected for a wallet but is persistent sensitive state that should be protected by the host environment.
Assessment
What this evaluation means and what to check before installing: - The skill appears to be what it says: an Arkade wallet + Lightning + LendaSwap integration. Its dependencies and code match the described functionality. - Sensitive storage: the CLI auto-generates a private key and stores it in plaintext at ~/.arkade-wallet/config.json (chmod 0600). If an attacker or untrusted process can read your home directory, your funds could be stolen. Consider only installing on a machine you control, or modify the code to encrypt the key or use an external key manager/hardware wallet. - Network calls: the skill contacts external services (default Arkade server, LendaSwap API, Boltz APIs). Those services will receive wallet addresses, swap requests and related metadata — only use the skill if you trust those endpoints. Review the domains and, if possible, configure custom, audited endpoints. - Dependencies: the package relies on @arkade-os/sdk and boltz-swap. If you install from a registry, ensure the package/version provenance is trustworthy (publisher identity, checksums). The included pnpm-lock indicates recorded integrity hashes, which is good when installing from the same source. - Runtime/build: the CLI imports built artifacts from dist; ensure the skill is built or installed via npm/pnpm so runtime imports succeed. Test in a safe environment first. Recommended actions before installing: - Inspect or verify the package published to npm (publisher, integrity hashes). - Run the code in an isolated environment (VM/container) and verify behavior. - Consider modifying the skill to encrypt the private key or use an HSM/hardware wallet, or keep the wallet key offline and only use read-only operations in this environment. - If you allow autonomous agent invocation, be aware the skill can perform on-chain/offchain operations — restrict autonomous use or require user confirmation for funds movements. If you want, I can: (a) show the exact lines where the private key is written and how to change it to encrypted storage, (b) list the external endpoints the skill will call, or (c) provide a short patch to avoid storing the private key in plaintext.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rryyvyhjqx3ster1c1gtpx8107wk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments