Is lnbits-with-qrcode safe?

https://clawhub.ai/JamesTsetsekas/lnbits-with-qrcode

72
CAUTION

This is a legitimate LNbits Lightning Network wallet management skill with well-intentioned security protocols. However, it handles real financial transactions through executable Python code that sends API keys to configurable external endpoints, creating meaningful risk if misconfigured. The prompt-level payment confirmation can be bypassed by other skills or prompt injection, and the MEDIA: output protocol introduces a minor attack surface. No malicious intent detected, but the financial nature of the operations warrants caution.

Category Scores

Prompt Injection 62/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 60/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (9)

HIGH Strong behavioral override directives in SKILL.md -25

SKILL.md contains multiple MUST/NEVER directives that override default agent behavior, including mandatory output formatting (MEDIA: protocol), suppression of certain outputs (adminkey hiding), and required confirmation flows. While these serve legitimate safety purposes, they demonstrate that the skill actively shapes agent behavior in ways that reduce user and agent autonomy.

MEDIUM MEDIA: output injection protocol -13

The skill instructs the agent to output 'MEDIA:' followed by a file path on a single line. This is a host-runtime protocol that triggers special behavior (image display). A malicious skill could abuse this pattern to reference arbitrary files for display or trigger parser vulnerabilities in the host runtime.

MEDIUM API key sent to configurable external endpoint -10

The Python CLI reads LNBITS_API_KEY from the environment and sends it as X-Api-Key header to whatever URL is configured in LNBITS_BASE_URL. While this is the expected behavior for an LNbits client, it means a misconfigured or attacker-controlled BASE_URL receives the wallet admin key.

LOW Home directory path leaked in QR file paths -8

The get_qr_path() function uses os.path.expanduser('~') to compute relative media paths, which embeds the user's home directory structure in the returned path. This is a minor information leak.

MEDIUM Executable Python script with outbound HTTP capabilities -25

The skill includes lnbits_cli.py which makes HTTP requests to external servers, writes files to disk, and processes user input. While the code appears legitimate and well-structured, it represents a real execution surface that could be exploited if the script were modified or if inputs were crafted maliciously.

LOW pip dependency installation required outside sandbox -15

The skill requires qrcode[pil] to be installed via pip. While this is a well-known package, pip installations can execute arbitrary setup.py code and introduce supply chain risk.

LOW Jiti cache files created during install -5

Multiple .cjs files were created in /tmp/jiti/ during installation. These appear to be from the ClawHub CLI runtime (JIT compilation cache), not from the skill itself. No malicious behavior detected.

MEDIUM Financial transaction risk with confirmation bypass potential -30

This skill handles real Lightning Network payments. While it mandates user confirmation before payments, this protection exists only at the prompt level and could be bypassed by prompt injection from another skill or a crafted user message. There is no programmatic confirmation mechanism in the Python CLI itself.

LOW False security from adminkey suppression -15

The skill instructs the agent to never display the adminkey in chat, but the key is printed to stdout by the CLI and visible in terminal output. This creates a false sense of security — the key is still exposed in logs, terminal history, and process monitoring.