Build apps with Bitcoin and Stablecoins on Arkade
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent instruction-only Arkade SDK guide, but it includes examples that handle private keys and move Bitcoin, so users should treat it as high-impact documentation.
Install or use this skill only if you intend to build Arkade/Bitcoin applications. Treat its examples as financial code: verify npm packages and endpoints, use test networks first, protect private keys, and require explicit user confirmation before any real payment, offboard, Lightning payment, or swap.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a real private key is mishandled, anyone with access to it could control the associated funds.
The guide explicitly covers private-key-based wallet identity. This is expected for a Bitcoin wallet SDK guide and includes a key-management warning, but private keys are highly sensitive.
const identity = SingleKey.fromHex("your-private-key-hex"); ... For production, always use a secure key management solution rather than hardcoded keys.Use test keys while developing, avoid hardcoding real keys, and store production keys only in an appropriate secure key-management system.
Copied or adapted code could move real Bitcoin to the wrong address or send more than intended.
The examples show code paths that can send or offboard Bitcoin. These are central to the skill's purpose and are presented as developer examples, not automatic execution, but they are financially irreversible if run with real funds.
const txid = await wallet.sendBitcoin({ address: "ark1...", amount: 50000 }); ... const exitTxid = await ramps.offboard("bc1q...", info.fees, // amount, // optional — defaults to all available );Use testnet or small amounts first, validate destination addresses and amounts, and require explicit user approval before any send, offboard, Lightning payment, or swap.
Installing the wrong or compromised package could affect applications that manage funds.
The guide instructs users to install external npm packages without pinned versions. This is normal for an SDK development guide, but supply-chain trust matters because the packages would handle wallet and payment code.
npm install @arkade-os/sdk ... npm install @arkade-os/boltz-swap ... npm install @arkade-os/skill
Verify package names, maintainers, checksums or lockfiles, and use pinned versions in production projects.
Provider services may receive transaction, wallet, or swap metadata needed for the integration.
The examples connect wallet and Lightning swap workflows to external Arkade and Boltz provider endpoints. This is disclosed and expected for the integration, but it creates external data flows around wallet and swap activity.
arkServerUrl: "https://arkade.computer" ... apiUrl: "https://api.ark.boltz.exchange"
Use trusted endpoints, understand provider privacy practices, and avoid sending production wallet or swap data to untrusted servers.