Is echennells/sparkbtcbot safe?

The skill declares model-invocation: autonomous with the stated rationale that agents need to pay invoices and respond to transfers without human approval per transaction. This instructs the agent runtime to grant execution rights without per-action confirmation. For a skill that can irreversibly transfer Bitcoin, this removes the standard human-in-the-loop safety check.

The skill requires SPARK_MNEMONIC in a plaintext environment variable. The skill itself explicitly states 'Any agent or process with the mnemonic has unrestricted control over the wallet.' If any other active skill, agent tool, or prompt injection causes the agent to read or output the mnemonic, all funds are immediately at risk with no revocation mechanism short of sweeping to a new wallet.

The fetchL402() method in the SparkAgent class will automatically pay any Lightning invoice returned in an HTTP 402 response from any URL passed to it. If an agent is directed to fetch a URL controlled by an attacker (e.g., via prompt injection in web content or a malicious skill argument), the attacker can issue a 402 challenge and receive a Lightning payment without the user explicitly authorizing it.

When combined with a filesystem-reading skill, an attacker who injects into the agent's context could instruct the agent to read .env (which contains SPARK_MNEMONIC) and then use the Spark wallet to transfer all funds to an attacker address. When combined with a browser/web-fetch skill, visiting attacker-controlled L402 pages could trigger automatic micropayments. Neither attack requires any vulnerability in the skill itself.

All six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were opened at timestamp 1771935870.954, which is 5+ seconds before the git clone of the skill began at 1771935876.488. A second read batch occurred at 1771935888 during monitoring teardown. Both access events are strongly consistent with the oathe audit framework recording initial state and performing final integrity verification, not with skill activity. Canary integrity check confirms all files intact.

The Spark SDK provides no native per-transaction limits, daily caps, or recipient allowlists. The skill correctly documents this and advises implementing application-level controls, but an agent operating this skill autonomously has no built-in guardrails against draining the entire balance in a single operation.

package.json contains only dependencies and named example scripts (no preinstall/postinstall/install hooks). No .gitattributes filter drivers, no .gitmodules, no .githooks/ directory, no symlinks outside the skill directory were detected. npm install was not executed during the audit.

The only external network connection attributable to the skill installation was git-remote-http to 140.82.121.3:443 (GitHub). The connection to 185.125.188.54:443 (Canonical/Ubuntu) predates the clone and is consistent with standard Ubuntu motd-news update infrastructure. No connections to skill operator domains, no DNS queries to sparkbot.yvrbtclabs.dev.