← Back to Skills Marketplace
89
Downloads
0
Stars
1
Active Installs
1
Versions
Install in OpenClaw
/install nansen-alerts-webhook-listener
Description
Set up a local webhook server to receive Nansen smart alerts in real-time with HMAC signature verification and public tunneling. Use when a user wants to lis...
Usage Guidance
Do not install or provide secrets yet — ask the publisher why the skill requires 'nansen' and NANSEN_API_KEY when the doc says it only runs a local webhook server. Confirm whether you actually need the nansen CLI; if not, remove that requirement. Before running any generated server script: (1) inspect the exact code the skill will write (ensure HMAC timing-safe comparison is implemented correctly and there are no obvious bugs), (2) keep the tunnel only as long as needed and rotate any webhook secret afterward, (3) if you enable OpenClaw forwarding, verify the target URL and token are safe and declared in the skill metadata, and (4) prefer localtunnel only for short tests — ngrok is recommended for stability but requires its own auth token. If the publisher cannot justify the API key or the nansen install, consider the skill incoherent and avoid supplying credentials.
Capability Analysis
Type: OpenClaw Skill
Name: nansen-alerts-webhook-listener
Version: 1.0.0
The skill provides a legitimate utility for setting up a local Node.js webhook listener to receive Nansen smart alerts. It includes a robust server implementation (nansen-webhook-server.mjs) using only built-in Node.js modules, featuring HMAC-SHA256 signature verification with timing-safe comparisons, payload size limits, and localhost-only binding. The instructions in SKILL.md include explicit security warnings about the risks of using public tunnels (ngrok/localtunnel) and correctly guide the agent to wait for user confirmation and handle secrets securely.
Capability Tags
Capability Assessment
Purpose & Capability
The skill's name/description say it only sets up a local webhook receiver with HMAC verification and an optional public tunnel. However, the registry metadata requires the 'nansen' binary and declares NANSEN_API_KEY as the primary credential. The SKILL.md explicitly says it does NOT create or modify alerts, so requiring an API key and the nansen CLI is disproportionate and unexplained.
Instruction Scope
The runtime instructions are specific and constrained (bind to 127.0.0.1, POST /webhook, HMAC verification, 1 MB limit, graceful shutdown) which is good. But the instructions also reference additional environment variables (OPENCLAW_GATEWAY_URL, OPENCLAW_AUTH_TOKEN) that are not listed in requires.env, and they include optional forwarding of verified payloads to another local service. The agent is told to create and run a server and to expose it via a tunnel (ngrok/localtunnel) — acceptable for the purpose but the combination of forwarding to OpenClaw and undeclared env usage should be explicit in metadata.
Install Mechanism
The install spec installs an npm package 'nansen-cli' (creates 'nansen' binary). npm installs from the public registry are moderate risk but commonly acceptable. The concern is not the mechanism itself but that installing nansen-cli appears unnecessary for a listener that 'does NOT create or modify alerts'. If the CLI is only for testing, that should be documented; otherwise the requirement is disproportionate.
Credentials
Only NANSEN_API_KEY is declared as required/primary, but the SKILL.md never needs that key to run the webhook receiver (it verifies incoming HMACs with a separately generated WEBHOOK_SECRET). The instructions also reference OPENCLAW_GATEWAY_URL and OPENCLAW_AUTH_TOKEN (used for forwarding) but these are not declared as required or optional env vars. Requiring NANSEN_API_KEY without justification is a red flag — ask why the key is needed and do not supply it unless necessary.
Persistence & Privilege
The skill is not always-enabled and does not request permanent presence or elevated platform privileges. It also does not attempt to modify other skills. Normal autonomous invocation is allowed (default), which is expected for skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install nansen-alerts-webhook-listener - After installation, invoke the skill by name or use
/nansen-alerts-webhook-listener - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
nansen-alerts-webhook-listener 1.0.0
- Initial release: Set up a secure local webhook server to receive real-time Nansen smart alert payloads, with HMAC signature verification.
- Supports public tunneling via ngrok (recommended) or localtunnel, enabling Nansen alert delivery to your local machine.
- No external Node.js dependencies—uses only built-in modules for security and simplicity.
- Includes optional integration with OpenClaw Gateway for automatic alert-driven agent turns.
- Implements security best practices: strict signature checks, 1 MB body limit, and minimal endpoint exposure.
- Provides clear, user-guided setup instructions and safety warnings.
Metadata
Frequently Asked Questions
What is Nansen Alerts Webhook Listener?
Set up a local webhook server to receive Nansen smart alerts in real-time with HMAC signature verification and public tunneling. Use when a user wants to lis... It is an AI Agent Skill for Claude Code / OpenClaw, with 89 downloads so far.
How do I install Nansen Alerts Webhook Listener?
Run "/install nansen-alerts-webhook-listener" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Nansen Alerts Webhook Listener free?
Yes, Nansen Alerts Webhook Listener is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Nansen Alerts Webhook Listener support?
Nansen Alerts Webhook Listener is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Nansen Alerts Webhook Listener?
It is built and maintained by Nansen AI (@nansen-devops); the current version is v1.0.0.
More Skills