ClawHub

Build apps with Bitcoin and Stablecoins on Arkade

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Arkade SDK guide, but its Bitcoin, Lightning, and swap examples should be treated as real financial code.

Install this only if you intend to build Arkade or Bitcoin wallet applications. Use testnet/regtest and small trial amounts first, verify package names and endpoints, protect private keys, and require explicit confirmation of destination address, amount, network, fees, invoice details, token, chain, and swap quote before using real funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes ready-to-run Bitcoin send/offboard examples for irreversible value transfers without explicitly warning users to verify destination addresses, network, amount, and finality before broadcasting. In a wallet/payment SDK context, omission of these safeguards can lead to permanent fund loss from copy/paste mistakes, wrong-network transfers, or misuse by downstream agents that present the example as safe-by-default.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Lightning examples show creating and paying invoices through an external swap provider without warning that invoice payment is irreversible and that invoice/payment metadata is disclosed to third-party swap infrastructure. Because this skill is specifically for financial operations over Bitcoin and Lightning, agents or developers may operationalize the example without understanding privacy, custody boundary, and mispayment risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The stablecoin swap section demonstrates cross-chain BTC-to-stablecoin transfers to an external EVM address without warning about irreversible asset movement, destination-address correctness, token/chain mismatches, and bridge/swap execution risk. In this context the omission is especially dangerous because cross-chain swaps compound the chance of unrecoverable loss if the wrong token, chain, or address is supplied.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal