Bitcoin Wallet for Agents using Arkade

Security checks across malware telemetry and agentic risk

Overview

This is a real cryptocurrency wallet skill that matches its stated purpose, but some payment and swap actions can move funds immediately without an enforced confirmation step.

Review before installing. Use only small test amounts first, protect ~/.arkade-wallet/config.json, do not paste existing private keys into prompts or shell commands, and approve any payment or swap only after checking the amount, destination, network, fees, and finality.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The skill exposes the full underlying Wallet via getWallet(), which breaks the intended capability boundary of a focused Bitcoin transfer/ramp skill. Any caller granted access to the skill can potentially invoke broader wallet methods not reviewed or constrained by this wrapper, increasing the attack surface and enabling unauthorized fund movements or sensitive wallet operations if higher-level policy assumes the skill is narrowly scoped.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill automatically executes `wallet.sendBitcoin(...)` immediately after swap creation, causing irreversible BTC movement without a separate explicit approval step at the point of transfer. This is especially dangerous because the surrounding documentation suggests a manual funding flow, so an integrator or user may invoke the method expecting only swap setup while actually authorizing a live onchain/offchain spend.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The example documentation says the user will fund the HTLC separately and then claim, but the implementation auto-funds during swap creation. This mismatch can lead developers to call the method in contexts where they only intended to prepare a swap quote/order, resulting in unintended BTC transfer and unsafe integration assumptions.

Missing User Warnings

High

Confidence: 94% confidence
Finding: The README instructs users to initialize the wallet with a raw private key (`arkade init <private-key-hex>` / `SingleKey.fromHex(privateKeyHex)`) without any warning about secure key handling, storage, shell history exposure, or the risk of irreversible fund loss if the key is leaked. In a cryptocurrency wallet skill, encouraging direct CLI/API use of raw private key material materially increases the chance that users or agents will expose secrets in logs, command history, screenshots, or process lists.

Missing User Warnings

High

Confidence: 90% confidence
Finding: The quick-start section shows money-moving commands for Bitcoin and Lightning without any warning that transactions may be irreversible, may incur fees, and can transfer real funds if run against production infrastructure. Because this is an agent skill intended for automation, the lack of cautions increases the risk that users or agents invoke payment commands in unsafe contexts or with unverified addresses/invoices.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The command reference lists onchain/offchain transfer and swap operations without warning about counterparty dependence, bridge/swap risk, network fees, delays, slippage, address-chain mismatches, or transaction finality. In a financial automation skill, omission of these operational safety constraints can lead users or agents to perform high-risk asset movements without understanding the trust and loss boundaries.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The `swap-to-stable` command initiates a fund-moving operation immediately after basic argument parsing, with no interactive confirmation, dry-run preview, or explicit irreversibility warning. In an agent-oriented CLI handling cryptocurrency, this increases the chance of accidental or prompt-induced transfers to an attacker-controlled destination, especially because the target token/chain/address are supplied directly as parameters.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The `swap-to-btc` path likewise performs an external asset-transfer workflow without any explicit user confirmation or strong warning. Because it accepts a user-controlled EVM address and initiates cross-system swap state, mistakes or malicious prompting can lead to irreversible transfer attempts or loss of access to funds if the wrong parameters are provided.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The code performs an automatic BTC transfer at execution time with no user-facing warning, confirmation hook, or policy gate in this method. In a wallet-integrated skill, hidden or non-obvious value transfer is a serious security issue because a caller can trigger asset movement through what appears to be a swap orchestration API rather than a clearly consented payment action.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal