Is kristapsk/agent-wallet-nwc-bridge safe?

https://github.com/openclaw/skills/tree/main/skills/kristapsk/agent-wallet-nwc-bridge

69
CAUTION

agent-wallet-nwc-bridge is a functionally legitimate Nostr Wallet Connect bridge for Bitcoin Lightning wallets, but it carries significant operational and supply chain risks. The most critical concerns are its use of npx -y @moneydevkit/agent-wallet to download and execute remote npm code on every payment operation (supply chain attack surface), the installation of a persistent background systemd service with ongoing access to wallet private keys, and the fact that this skill directly controls real Bitcoin funds where adversarial NWC requests could trigger unauthorized payments. The SKILL.md is clean with no prompt injection, and the installation phase showed no suspicious behavior, but the financial risk combined with best-effort budget enforcement and runtime remote code execution make this skill require thorough review before any deployment.

Category Scores

Prompt Injection 88/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 35/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (9)

HIGH Remote npm package downloaded and executed on every wallet operation -45

The runAgentWallet() function calls spawnSync('npx', ['-y', '@moneydevkit/agent-wallet', ...args]) for every balance check, invoice creation, and payment. The -y flag bypasses confirmation and auto-installs the package. While npx caches packages, this means the wallet's core execution logic is an externally-controlled npm dependency fetched at runtime. A supply chain compromise of @moneydevkit/agent-wallet would immediately execute with access to the wallet private key (state.json) and full payment capability.

HIGH Direct control over real Bitcoin Lightning funds via pay_invoice -35

This skill can authorize outbound Bitcoin Lightning payments. Any NWC client with a registered connection can send pay_invoice requests with arbitrary BOLT11 invoices. If an AI agent with this skill active is manipulated through adversarial NWC events on the configured relay, or if the agent's system prompt is injected elsewhere, it could be induced to send payments to attacker-controlled Lightning addresses. The wallet balance acts as the only hard limit.

HIGH Installs persistent systemd user service as background process -12

install_systemd_user.sh installs and enables a systemd user service that starts automatically on user login and persists indefinitely across reboots. The service listens on public Nostr relays continuously with the wallet private key loaded. This is a long-lived process with financial capabilities that runs outside of any agent session context.

MEDIUM Payment transaction data transmitted to public Nostr relays -20

The bridge publishes a kind-13194 info event (wallet service pubkey, supported methods, encryption capabilities) and sends kind-23195 response events to configured public Nostr relays. While NWC response payloads are encrypted per NIP-44/NIP-04, the wallet service pubkey, event timing, and connection metadata are permanently visible to relay operators and network observers, building a deanonymizable transaction graph.

MEDIUM Wallet service private key stored in plaintext state.json -20

Upon init, the wallet service Nostr private key (sk_hex) is written to state.json in the skill directory alongside all per-connection NWC client secrets. Any process or user with read access to the skill directory can steal the private key and impersonate the wallet service to any NWC client. The README warns against committing this file but does not restrict filesystem permissions.

MEDIUM NWC_AUTO_REGISTER enables unauthenticated wallet access -12

When NWC_AUTO_REGISTER=1, any unknown NWC client pubkey that contacts the bridge is automatically registered and granted wallet access up to NWC_DEFAULT_BUDGET_SATS sats. Anyone who discovers the wallet service pubkey and the configured relay can self-register without explicit authorization. This is particularly dangerous because the bridge's info event (kind 13194) publicly broadcasts the wallet service pubkey.

LOW No suspicious activity during installation -15

The clone process connected only to github.com (140.82.113.4:443) for the skill repository. No unexpected outbound connections, process spawning, or filesystem modifications outside the skill directory were observed. Post-install network connections to AWS (44.214.208.192:443) are attributable to the openclaw-gateway platform, not this skill.

LOW Budget enforcement is best-effort with no fee accounting -8

The code comment explicitly states quota enforcement is best-effort and cannot account for Lightning routing fees. The spent_sats counter only increments if agent-wallet returns an amount, which the comment notes is 'not guaranteed'. An attacker could partially exhaust a budget through fee-heavy routes that go untracked.

LOW Bundled .clawhub/lock.json references unrelated skill -8

The .clawhub/lock.json included in the skill package references 'academic-research-hub' version 0.1.0 rather than this skill. This artifact from a different installation context was accidentally bundled in the release, indicating insufficient QA before publishing. While not directly malicious, it suggests the publisher did not carefully review what was committed.