← Back to Skills Marketplace
SatsRail MCP — Bitcoin Lightning Payments for AI Agents
by
Ruby Tuesday
· GitHub ↗
· v1.0.0
386
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install satsrail-mcp
Description
Enable AI agents to create Bitcoin Lightning payment orders, generate invoices, check payment status, and manage payments via natural language with SatsRail...
Usage Guidance
This skill appears to do what it claims (Lightning payments through SatsRail) but contains important inconsistencies and a runtime install behavior you should consider before enabling it. Before installing: (1) Verify the satsrail-mcp npm package and the linked GitHub repo — review source and recent maintainer activity; (2) Use a test API key (sk_test_...) and restrict permissions if possible; (3) Expect that npx/npm must be available in the runtime environment — the metadata should have declared that; (4) Prefer explicitly installing and auditing the npm package ahead of giving the agent a live key rather than allowing automatic npx downloads at runtime; (5) Run the integration in an isolated or monitored environment and check logs/network egress for unexpected behavior; (6) Ask the publisher/registry owner to update the metadata to declare SATSRAIL_API_KEY and the npx/npm dependency so you can make an informed risk decision.
Capability Analysis
Type: OpenClaw Skill
Name: satsrail-mcp
Version: 1.0.0
The skill bundle is classified as suspicious due to the use of `npx -y satsrail-mcp` in the `SKILL.md` configuration instructions. This command downloads and executes an external npm package without explicit user confirmation, introducing a significant supply chain vulnerability. If the `satsrail-mcp` package on npm were compromised, this could lead to Remote Code Execution (RCE) on the host system. While this is a critical risk, there is no direct evidence of malicious intent within the provided files, but rather a risky execution method that allows for potential exploitation.
Capability Assessment
Purpose & Capability
The described capabilities (create orders, generate bolt11 invoices, check payment status) are coherent with a SatsRail Lightning integration. However, the registry metadata claims no required environment variables or binaries while the SKILL.md explicitly instructs the operator to provide a SATSRAIL_API_KEY and to invoke npx (npx/npm) to run the satsrail-mcp package. That mismatch (undeclared secret and undeclared runtime dependency) is an inconsistency.
Instruction Scope
The instructions stay focused on integrating an MCP server with SatsRail: configuring an MCP server entry, providing an API key in the server env, and invoking the satsrail-mcp npm package. The SKILL.md does not instruct the agent to read unrelated files or exfiltrate other system secrets. It does, however, instruct the environment to execute code fetched from npm at runtime (via npx), which increases the scope of what will run.
Install Mechanism
There is no install spec in the registry metadata, but the SKILL.md example uses 'npx -y satsrail-mcp' — this implies runtime download and execution of an npm package. Fetching and executing code from npm at runtime is a moderate-to-high risk if you haven't audited the package source. The SKILL.md points to GitHub and npm pages (helpful), but the package install/execute behavior should have been declared explicitly in the metadata.
Credentials
Registry metadata lists no required env vars, yet SKILL.md requires a SATSRAIL_API_KEY (sk_live_... / sk_test_...) to operate. Requesting one service-specific API key is reasonable for a payments integration, but the omission in metadata is a red flag. The skill does not request unrelated credentials, which is good; the issue is the missing declaration of a required secret and guidance about its scope/permissions.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; model invocation is allowed (the platform default). The skill does not declare or request system-wide config changes beyond adding an MCP server entry with the API key — that is expected for this integration. No evidence of the skill modifying other skills or system-wide settings.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install satsrail-mcp - After installation, invoke the skill by name or use
/satsrail-mcp - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release — Bitcoin Lightning payments for any MCP-compatible AI agent
Metadata
Frequently Asked Questions
What is SatsRail MCP — Bitcoin Lightning Payments for AI Agents?
Enable AI agents to create Bitcoin Lightning payment orders, generate invoices, check payment status, and manage payments via natural language with SatsRail... It is an AI Agent Skill for Claude Code / OpenClaw, with 386 downloads so far.
How do I install SatsRail MCP — Bitcoin Lightning Payments for AI Agents?
Run "/install satsrail-mcp" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is SatsRail MCP — Bitcoin Lightning Payments for AI Agents free?
Yes, SatsRail MCP — Bitcoin Lightning Payments for AI Agents is completely free (open-source). You can download, install and use it at no cost.
Which platforms does SatsRail MCP — Bitcoin Lightning Payments for AI Agents support?
SatsRail MCP — Bitcoin Lightning Payments for AI Agents is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created SatsRail MCP — Bitcoin Lightning Payments for AI Agents?
It is built and maintained by Ruby Tuesday (@rubytuess); the current version is v1.0.0.
More Skills