← 返回 Skills 市场

Alby Lightning Payments

Name: Alby Lightning Payments
Author: kiagentkronos-cell

作者 kiagentkronos-cell · GitHub ↗ · v1.1.2 · MIT-0

cross-platform ⚠ suspicious

103

总下载

当前安装

版本数

在 OpenClaw 中安装

/install alby-lightning

功能描述

Send, receive, and manage Bitcoin Lightning payments through Alby Hub's Nostr Wallet Connect, including balance checks and invoice handling.

使用说明 (SKILL.md)

Alby Lightning Payments Skill

Overview

Easily send, receive, and manage Bitcoin Lightning payments via Alby Hub's Nostr Wallet Connect (NWC).

Features

Check wallet balance
Pay Lightning invoices
Send to Lightning addresses
Generate receive invoices

Setup

Prerequisites

Alby Hub account
NWC (Nostr Wallet Connect) URL

Installation

mkdir -p ~/.openclaw/workspace/skills/alby-lightning
cd ~/.openclaw/workspace/skills/alby-lightning
npm init -y
npm install @getalby/sdk

Configuration

Add to openclaw.json:

{
  "env": {
    "ALBY_NWC_URL": "nostr+walletconnect://..."
  }
}

⚠️ Security

Your NWC URL contains your wallet's private key. Anyone with this URL can spend your funds.

NEVER commit it to git or share it publicly
ALWAYS set spending limits in Alby Hub before use
Store it only in openclaw.json (not in code files)
Rotate the NWC URL immediately if you suspect it was leaked

Gotchas

Always specify amount for zero-amount invoices
Use result.invoice, not result.payment_request
Set spending limits in Alby Hub

Contributing

Improvements welcome! Open issues at GitHub.

安全使用建议

This skill appears to implement the advertised Alby/NWC payment functionality, but there are important red flags you should address before installing: (1) The registry metadata does not declare the ALBY_NWC_URL env var the code requires — assume the NWC URL will be needed and treat it as extremely sensitive (contains spending capability). (2) package.json's test script runs scripts/wallet.js which executes payment actions immediately; do not run npm test unless you want those actions to execute. Audit the code (especially scripts/wallet.js), and consider removing or editing the test script before running any package scripts. Only set ALBY_NWC_URL in a secure location (openclaw.json as recommended), ensure spending limits are set in Alby Hub, and consider running the skill in an isolated environment or sandbox first. Verify the @getalby/sdk version and source and prefer installing dependencies manually after inspection. If you need higher confidence, ask the publisher for a homepage/source repository (none is listed) or request that they update the registry metadata to declare ALBY_NWC_URL as the primary credential and remove/modify the auto-running test script.

能力评估

⚠ Purpose & Capability

The skill's functionality (sending/paying Lightning invoices via an Alby NWC URL) is coherent with the name/description, and the code expects a single env var ALBY_NWC_URL — which is necessary. However the registry metadata lists no required env vars or primary credential, which is incorrect and misleading. That mismatch (code+SKILL.md requiring ALBY_NWC_URL vs registry declaring none) is material and could cause users to accidentally provide credentials in the wrong place or miss the sensitivity of the NWC URL.

⚠ Instruction Scope

SKILL.md fairly narrowly instructs installing @getalby/sdk and setting ALBY_NWC_URL in openclaw.json; the send_sats.mjs and pay_bolt11.mjs scripts implement SSRF protections, amount checks, timeouts, and avoid logging secrets. However scripts/wallet.js immediately performs balance-checks, makes a hardcoded payInvoice call, pays a lightning address, and creates an invoice on import — and package.json defines "test": "node scripts/wallet.js". That means running npm test (or some automated test hooks) could execute payment-related actions unexpectedly. SKILL.md does not warn that the included test script performs network/payment actions.

ℹ Install Mechanism

No install spec is declared in the registry (instruction-only), yet package.json has a runtime dependency on @getalby/sdk and SKILL.md instructs users to run npm install @getalby/sdk. This is a moderate risk (npm package download/execution) but not unusual for Node skills. The inconsistency between 'no install spec' in metadata and explicit npm-based install instructions should be fixed or made explicit to users.

⚠ Credentials

The only secret the code needs is ALBY_NWC_URL (the private-key-containing Nostr Wallet Connect URL), which is proportionate to the stated payment functionality. However the registry does not declare this required env var or mark a primary credential, which is misleading and increases the risk that users will misconfigure where they store the secret. The SKILL.md appropriately warns users about the sensitivity of the NWC URL.

✓ Persistence & Privilege

The skill does not request always:true or other elevated platform privileges. It does not attempt to modify other skills or system-wide agent settings. Autonomy (disable-model-invocation=false) is platform default and not a standalone concern here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install alby-lightning
安装完成后，直接呼叫该 Skill 的名称或使用 /alby-lightning 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.1.2

Added GitHub source: github.com/kiagentkronos-cell/alby-lightning

v1.1.1

Expanded README: explains network access, LNURL protocol, security measures — for transparency review

v1.1.0

Security hardened: SSRF protection, invoice amount verification, input validation, timeouts, path traversal fix

元数据

Slug alby-lightning

版本 1.1.2

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题