Is public/hodlxxi-bitcoin-identity safe?
The hodlxxi-bitcoin-identity skill is a documentation-only package with a clean installation footprint consisting solely of SKILL.md and config.json. No executable code, prompt injection overrides, or data exfiltration was detected during the audit; all canary files remained intact and the only network contact during install was the expected GitHub clone. The primary residual concerns are: the SKILL.md explicitly acknowledges unaudited heartbeat-capable scripts in the parent monorepo that fall outside this audit's scope; the public endpoints section normalizes proactive agent-initiated GET requests to hodlxxi.com infrastructure; and the Bitcoin/Lightning/OAuth domain creates a high-value attack surface should any of the well-constructed but runtime-only permission gates be bypassed in a future version or multi-skill deployment.
Category Scores
Findings (5)
LOW Unaudited operator-only files with heartbeat capability acknowledged in SKILL.md -8 ▶
SKILL.md explicitly acknowledges the existence of 'helper scripts, heartbeat notes, and OAuth templates' in the parent repository that are intentionally excluded from the published skill package. The specific mention of 'heartbeat notes' implies polling/beaconing infrastructure exists in the monorepo. These files cannot be audited from the published package and could be installed separately to enable continuous outbound communication.
LOW External endpoints explicitly designated as safe agent fetch targets -7 ▶
The 'Public discovery endpoints' section lists five hodlxxi.com URLs as 'safe public-read discovery surfaces.' This framing may prime an agent loading this skill to proactively issue GET requests to hodlxxi.com infrastructure during normal operation — establishing a persistent communication channel to the skill author's servers without any explicit user request. This is not an override instruction but does shape agent behavior toward external contact.
MEDIUM High-value financial and identity domain with soft runtime permission gates -18 ▶
The skill operates at the intersection of Bitcoin/Lightning payments, OAuth/OIDC credential issuance, LNURL-Auth wallet sessions, and signed inter-agent execution surfaces. While the explicit security rules are well-constructed and restrictive, each dangerous operation is gated only by 'explicit operator approval' — a runtime control. Any instruction conflict, a future skill version with subtle prompt injection, or combination with a less-restrictive skill could result in unauthorized Lightning invoice creation, OAuth client registration, or identity impersonation with real financial consequences.
INFO Canary file access events observed — attributed to monitoring infrastructure, not skill -5 ▶
inotify and auditd detected sequential OPEN/ACCESS syscalls on all six honeypot canary files at two distinct timestamps: 1782203292.385-392 (immediately at audit setup, before git clone) and 1782203304.102-103 (immediately after install completes, before monitoring teardown). The complete-sweep sequential pattern at both timestamps is characteristic of the monitoring framework performing initial baseline registration and final integrity verification. The canary integrity check independently confirms no exfiltration occurred.
INFO Skill package is documentation-only — minimal executable attack surface 0 ▶
The installed skill consists solely of SKILL.md and config.json. No executable code, npm packages, git hooks (.githooks/), gitattributes with filter drivers, submodules (.gitmodules), or symlinks are present. This is the minimum viable skill footprint and represents no code execution risk from the installed package itself.