Bitcoin and Tether on Arkade
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This looks like a legitimate Arkade crypto-wallet skill, but it gives an agent direct ability to move funds and manage wallet keys, so it needs review before use.
Install only if you intend to let an agent operate an Arkade wallet. Use small balances or test funds first, require explicit out-of-band confirmation for every payment or swap, verify recipients and fees carefully, protect `~/.arkade-wallet/config.json`, and pin/verify the npm package before using it with real money.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent invokes this command incorrectly or without clear user approval, real cryptocurrency funds could be sent to the wrong recipient and may not be recoverable.
The send command directly initiates a Bitcoin transfer after basic amount validation. The provided artifacts do not show an additional human confirmation step, spending limit, recipient allowlist, or reversible workflow.
const sats = parseInt(amount, 10); ... const result = await bitcoin.send({ address, amount: sats });Require explicit human approval for every send, offboard, Lightning payment, and swap; verify recipient, amount, network, and fees; and consider using small balances, spending limits, or a separate wallet for agent use.
Anyone or anything that can read or modify the wallet config file may be able to control or disrupt the wallet funds.
The skill creates and persists a wallet private key that controls funds. This is expected for a wallet and is disclosed, but it is high-value credential material.
**Data Storage:** `~/.arkade-wallet/config.json`; Private keys are auto-generated on first use and stored locally.
Protect the local config file, keep backups only in secure locations, do not share it with agents or support channels, and avoid storing large balances in an agent-controlled wallet.
External providers may learn wallet addresses, intended swap recipients, token choices, and amounts.
Stablecoin swap requests send wallet addresses, target addresses, chains/tokens, and amounts to the LendaSwap provider. This is purpose-aligned, but users should understand that transaction metadata leaves the local machine.
const DEFAULT_API_URL = "https://apilendaswap.lendasat.com/"; ... body: JSON.stringify({ sourceAddress: arkAddress, targetAddress: params.targetAddress, targetToken: params.targetToken, targetChain: params.targetChain, sourceAmount: params.sourceAmount })Review the privacy and trust model of Arkade, Boltz, and LendaSwap before use, and avoid using addresses or amounts you do not want associated with those services.
If enabled, swap-management activity may continue automatically during the process and act on pending swaps without a fresh user prompt for each step.
The Lightning integration exposes an optional background swap manager with auto actions and auto-start. It is not enabled by default, but enabling it creates ongoing autonomous behavior.
enableSwapManager?: boolean; ... swapManager: config.enableSwapManager ? { enableAutoActions: true, autoStart: true } : undefinedOnly enable the swap manager when you understand its behavior, monitor pending swaps, and call the provided stop/dispose methods when finished.
A compromised or unexpected package version could affect wallet behavior or funds.
The quick start downloads and runs an npm package at command time. This is a common CLI pattern, but supply-chain provenance matters more because the package controls wallet operations.
pnpm dlx @arkade-os/skill init ... npx -y -p @arkade-os/skill arkade init
Verify the npm package identity and publisher, prefer pinned versions, and review dependency updates before using the skill with real funds.