Back to skill

Security audit

AIBTC Bitcoin Wallet

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed crypto wallet skill, but it gives agents broad authority over funds, keys, DeFi actions, paid APIs, and persistent identity flows without enough consistent safety gates.

Install only if you intentionally want an agent-controlled crypto wallet. Pin and audit the MCP server package, start on testnet or with a dedicated low-balance wallet, avoid importing valuable seed phrases, protect `PILLAR_API_KEY` as signing authority, keep wallets locked by default, and require explicit approval for every transfer, DeFi action, contract write/deploy, inscription, identity registration, and paid API call.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is presented primarily as a Bitcoin wallet, but the documented capabilities expand into paid API execution, inbox messaging, identity registration, and reputation workflows. This broader scope increases the attack surface and can mislead users or agents into invoking higher-risk functions than expected, especially where payments or identity actions are involved.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Including endpoint scaffolding for building new x402 APIs is unrelated to ordinary wallet use and materially broadens what the skill can do. In an agent context, this creates unnecessary capability creep and could enable unreviewed service creation or code generation paths that are not expected from a wallet skill.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The guidance normalizes automatic unlocking of a signing key whenever `PILLAR_API_KEY` is present, which weakens operator expectations around explicit key-use boundaries. In an agent wallet context, this increases the risk of unintended signing or misuse of privileged wallet operations if the environment is compromised or prompts trigger sensitive actions unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This reference materially expands the skill from a wallet-focused capability into a generalized paid-endpoint execution and messaging workflow, including instructions for authorizing payments and sending inbox messages. In an agent setting, that capability expansion increases the chance that a caller or downstream prompt can steer the agent into spending funds or interacting with external services beyond the scope implied by the manifest.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises capabilities that can move or risk user funds (sending BTC, swaps, lending) without any visible warning about irreversible transactions, smart-contract risk, counterparty risk, or the need for explicit user confirmation. In an agent-skill context, omission of these safety cues increases the chance that an LLM agent or operator treats these actions as routine and triggers harmful financial operations without adequate caution.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill instructs agents/users how to send BTC but does not prominently warn that blockchain transfers are irreversible and recipient mistakes can permanently destroy funds. In a wallet skill, omission of this warning raises the risk of accidental loss through prompt mistakes, address substitution, or misunderstanding of fee/amount units.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The guidance tells users to publicly post a wallet address together with a claim code on X without warning about privacy and correlation risks. This can permanently link an agent identity, social account, and on-chain address, enabling tracking, profiling, and targeted abuse such as phishing or deanonymization.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The workflow instructs the agent/user to broadcast commit and reveal transactions but does not prominently warn that these actions are irreversible, spend real BTC, and can permanently publish data on-chain. In an agent context, weak consent and safety framing around irreversible fund movement increases the risk of accidental loss, unintended inscriptions, or user confusion about permanence.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document promotes irreversible asset transfers and leveraged DeFi actions such as sending sBTC, supplying to lending pools, boosting leverage, and unwinding positions, but it does not include clear warnings about transaction irreversibility, liquidation risk, protocol risk, or possible total/partial loss of funds. In an agent skill context, omission of these warnings increases the chance that users or autonomous agents execute high-risk financial actions without informed consent or adequate safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill recommends agent-direct operation with signing keys that auto-unlock using a password derived from PILLAR_API_KEY, but it does not warn that compromise of the API key may grant autonomous signing authority over wallet actions. This creates a strong single-secret dependency and materially raises the risk of unauthorized transfers or DeFi operations if the environment or logs are exposed.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document provides many natural-language examples for value-moving and signing operations such as BTC/STX transfers, sBTC deposits, swaps, borrowing, withdrawals, and contract calls, but it does not place a clear, prominent warning that these actions can move real funds, incur fees, or sign irreversible on-chain transactions. In an agent skill context, examples are often operationalized directly, so missing safety framing increases the risk of accidental financial loss or unintended execution.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The troubleshooting examples use broad natural-language commands like 'Unlock my wallet' and 'Lock my wallet' without clear activation constraints, which can encourage overly permissive intent matching in an agentic system. In a wallet skill, ambiguous trigger phrasing raises the chance of accidental invocation of sensitive actions through prompt confusion, quoted text, or indirect instruction injection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Guidance to create or import a wallet omits any warning that mnemonics, seeds, and wallet backup material are highly sensitive and must never be exposed in logs, chats, or untrusted tooling. In a wallet-management skill, that omission is dangerous because users may paste recovery phrases directly into agent conversations, leading to full wallet compromise.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The instructions tell users to unlock a wallet with a password but do not warn that the password is a sensitive secret that should not be entered into normal conversational channels. In an agent environment, this can train users to disclose credentials in plaintext, exposing them to logging, retention, or prompt-leak risks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The Pillar wallet creation guidance does not warn that the action generates signing keys and performs on-chain deployment, both of which have security and financial implications. Without explicit notice, users may trigger irreversible key creation or blockchain actions without understanding custody, cost, or exposure implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The note that keys auto-unlock when `PILLAR_API_KEY` is set lacks any warning that this environment variable is itself a sensitive credential granting privileged wallet access. In an agent-operated wallet system, failing to emphasize secret handling can lead to insecure storage, accidental disclosure in logs, or broader compromise of signing capabilities.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Send inbox messages with `send_inbox_message` (use this instead of execute_x402_endpoint for inbox)
- Build new x402 APIs with `scaffold_x402_endpoint` and `scaffold_x402_ai_endpoint`

Always probe before executing paid endpoints. Never call `execute_x402_endpoint` with `autoApprove: true` without checking cost first.

**send_inbox_message** — dedicated tool for aibtc.com inbox messages:
- Parameters: `recipientBtcAddress` (bc1...), `recipientStxAddress` (SP...), `content` (max 500 chars), `paymentTxid` (optional)
Confidence
80% confidence
Finding
without checking

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Send inbox messages with `send_inbox_message` (use this instead of execute_x402_endpoint for inbox)
- Build new x402 APIs with `scaffold_x402_endpoint` and `scaffold_x402_ai_endpoint`

Always probe before executing paid endpoints. Never call `execute_x402_endpoint` with `autoApprove: true` without checking cost first.

**send_inbox_message** — dedicated tool for aibtc.com inbox messages:
- Parameters: `recipientBtcAddress` (bc1...), `recipientStxAddress` (SP...), `content` (max 500 chars), `paymentTxid` (optional)
Confidence
80% confidence
Finding
autoApprove

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
## Safe-by-Default Behavior

`execute_x402_endpoint` defaults to `autoApprove: false`:
- For paid endpoints: probes first and returns cost info, then waits for re-call with `autoApprove: true`
- For free endpoints: executes immediately and returns the response
Confidence
82% confidence
Finding
autoApprove

Session Persistence

Medium
Category
Rogue Agent
Content
Before sending transactions, set up a wallet:

1. **Create new wallet**: `wallet_create` - generates encrypted BIP39 mnemonic
2. **Import existing**: `wallet_import` - import from mnemonic phrase
3. **Unlock for use**: `wallet_unlock` - required before transactions
Confidence
74% confidence
Finding
Create new wallet**: `wallet_create` - generates encrypted BIP39 mnemonic 2. **Import existing**: `wallet_import` - import from mnemonic phrase 3. **Unlock for use**: `wallet_unlock` - required before

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.