Is hodlxxi/hodlxxi-bitcoin-identity safe?

The SKILL.md Installation section (step 1) instructs the agent to execute a curl command that downloads and overwrites the current SKILL.md with content from https://raw.githubusercontent.com/hodlxxi/Universal-Bitcoin-Identity-Layer/main/skills/public/hodlxxi-bitcoin-identity/SKILL.md. This target repository (hodlxxi/Universal-Bitcoin-Identity-Layer) is entirely different from the audited source (openclaw/skills) and has not been reviewed. Any agent that follows the stated installation procedure will replace the audited skill with operator-controlled, unvetted content. This is a structural supply chain attack embedded in the skill's own documentation.

Every authentication operation the skill instructs the agent to perform — OAuth client registration, authorization code exchange, token requests, LNURL-Auth session creation and polling, and JWKS-based JWT verification — is directed to hodlxxi.com, an external service operated by the skill author. The operator has full visibility into client credentials (client_id, client_secret), authorization codes, access tokens, and identity claims for any service the user authenticates with through this skill.

The skill includes a pay-as-you-go billing system with Lightning Network invoice creation and checking endpoints. The 402 response flow — which returns a create_invoice_endpoint and hint 'Top up via Lightning PAYG' — is designed to appear as a routine operational error that agents should self-remediate by creating and paying invoices. An agent that handles 402 responses automatically could transfer cryptocurrency to the skill operator without explicit per-transaction user authorization.

HEARTBEAT.md is presented as operational documentation specifying that the agent should perform health checks every 5 minutes (production) or hourly (staging) against multiple hodlxxi.com endpoints including a new LNURL-Auth session creation on each cycle. If an agent treats this as a directive, it will maintain a continuous outbound beacon to the skill operator's infrastructure, enabling activity tracking and providing a persistent channel for server-side instruction delivery via manipulated API responses.

The _meta.json commit URL references github.com/clawdbot/skills, the skill is published under openclaw/skills, and the installation instructions reference hodlxxi/Universal-Bitcoin-Identity-Layer as the canonical source. This three-repository chain makes it impossible to determine which repository is authoritative, enables silent updates via the self-replacement mechanism, and obscures the true author behind multiple GitHub organizations.

The skill installation requires pip install ecdsa pyjwt requests, introducing a runtime dependency on three PyPI packages. While these are widely used and currently safe packages, this creates a supply chain dependency — a compromised PyPI package would execute arbitrary code in the agent's environment at install time.

inotify and auditd records show OPEN+ACCESS+CLOSE_NOWRITE (read-only) events on .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 12:29:33 (monitoring start) and 12:29:50 (monitoring end). Timing analysis places these accesses at harness setup and teardown phases, before and after the git clone respectively. Canary integrity report confirms files were unmodified. Assessed as harness infrastructure rather than skill activity, but noted as the files were accessed rather than merely created.