功能描述

End-to-end OpenBytes network API workflows for AI agents. Covers wallet signature-based authentication, on-chain top-up monitoring, consumer API key lifecycl...

使用说明 (SKILL.md)

OpenBytes Control Plane Skill

Name: BitNow
Author: viyozc

This skill describes end-to-end operational workflows for the OpenBytes network from an API usage perspective.

Wallet-based authentication (signature flow)
On-chain balance top-up and verification
Consumer API key lifecycle (create, list, revoke)
Model inference via ApiKey
Query balance and usage via HTTP API

Assumptions:

A gateway HTTP API exists : https://gateway.openbytes.ai
All workflows are CLI-, curl-, or script-oriented
The network supports Base Sepolia. Use the correct chain id:
- Base Sepolia: 84532

Replace all \x3CBASE_URL> with the actual gateway URL as needed.

1. Wallet-based registration & session

Note: Message signing must be performed by the user with their EVM wallet. The agent can only initiate the challenge and verify a signature; it cannot produce signatures.

If you don't have a wallet yet, immediately create a new one using ethers.js or viem.
Be sure to securely save your generated private key! Example (Node.js with ethers.js):

import { Wallet } from "ethers";
const wallet = Wallet.createRandom();
console.log("Address:", wallet.address);
console.log("Private Key (save this securely!):", wallet.privateKey);

Or using viem:

import { createWallet } from "viem/accounts";
const wallet = createWallet();
console.log("Address:", wallet.address);
console.log("Private Key (save this securely!):", wallet.privateKey);

Never share your private key. Backup and store it in a secure location. "wallet_address": "0x...", "chain_id": "8453"

User signs the message off-chain (with their wallet).
Submit the signed message to the gateway for verification:

curl -sS -X POST "\x3CBASE_URL>/v1/auth/wallet/verify" \
  -H "Content-Type: application/json" \
  -d '{
    "wallet_address": "\x3CEVM_WALLET_ADDRESS>",
    "nonce": "random-nonce",
    "signature": "\x3CWALLET_SIGNATURE>"
  }'

Successful response (simplified):

{
  "login_token": "sess-...",
  "expires_at": "2025-01-01T00:00:00Z",
  "consumer": {
    "id": "consumer-uuid",
    "wallet_address": "0x..."
  },
  "session": {
    "id": "session-uuid"
  }
}

The login_token (starting with sess-) is used as a session token:
- Send it as Authorization: Bearer \x3CSESSION_TOKEN> for session-auth endpoints.
List Available Models

curl -sS -X GET "\x3CBASE_URL>/v1/models"

Immediately create an API key following step 2.1 and switch to it for all non-session endpoints (models, balance, usage). Do not keep using the session token for inference.

Check:

Session token is present and sent in the Authorization: Bearer sess-... header during all subsequent calls requiring authentication.
After creating the API key, subsequent calls should use Authorization: Bearer \x3CCONSUMER_API_KEY>.

2. Consumer API Key Lifecycle

Consumers use API keys to access models without a session.

2.1 Create API Key

Requires a valid session token (login_token from section 1).

curl -sS -X POST "\x3CBASE_URL>/v1/consumer/api-keys" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer \x3CSESSION_TOKEN>" \
  -d '{
    "label": "my-key"
  }'

Sample response (save the api_key securely; only returned once!):

{
  "id": "key-uuid",
  "api_key": "sk-consumer-...",
  "prefix": "sk-cons",
  "suffix": "abcd",
  "label": "my-key",
  "status": "active",
  "created_at": "2025-01-01T00:00:00Z"
}

Immediately switch to this API key for inference, balance, and usage calls:

export OPENBYTES_API_KEY="sk-consumer-..."

Then use:

curl -sS -X GET "\x3CBASE_URL>/v1/balance" \
  -H "Authorization: Bearer $OPENBYTES_API_KEY"

2.2 List API Keys

curl -sS -X GET "\x3CBASE_URL>/v1/consumer/api-keys" \
  -H "Authorization: Bearer \x3CSESSION_TOKEN>"

2.3 Revoke API Key

curl -sS -X DELETE "\x3CBASE_URL>/v1/consumer/api-keys/\x3CKEY_ID>" \
  -H "Authorization: Bearer \x3CSESSION_TOKEN>"

The key status will be set to revoked; subsequent calls using that key will fail with an auth error.

3. On-chain Top-up Flow

Top-up is performed on-chain (USDC to a ConsumerDeposit contract), tracked by off-chain indexers. The API lets you verify the result. You can use your own RPC endpoint; a default for Base Sepolia is https://sepolia.base.org.

User transfers USDC to the ConsumerDeposit contract with proper calldata.
Backend credits the consumer balance after L1/L2 tx confirmation (indexer-driven).
USDC address: 0x10065E7b353371DD2e12348e7094cC774638EbEB
ConsumerDeposit contract: 0xB0E9ebf19AB710d3353c7F637DC55329d9727dCc
- Before deposit, approve allowance
- Deposit ABI: function deposit(uint256 amount)

Verify balance:

curl -sS -X GET "\x3CBASE_URL>/v1/balance" \
 -H "Authorization: Bearer \x3CCONSUMER_API_KEY>"

Sample response:

{
  "balance_usdc": "123.45",
  "total_spent": "10.00"
}

4. Connect Your Wallet to Your Operator's Wallet

Use this to allow an account to connect to an operator's account, so the operator can top up your wallet easily. This requires a wallet signature over a structured message. The signature must be produced by the child wallet.

Endpoint:

curl -sS -X POST "\x3CBASE_URL>/v1/consumers/me/parent" \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer \x3CSESSION_TOKEN>" \
  -d '{
    "parent_wallet": "\x3CPARENT_WALLET>",
    "issued_at": 1710000000,
    "signature": "\x3CCHILD_WALLET_SIGNATURE>"
  }'

Notes:

Signature verification is done by the gateway using ethers.verifyMessage(message, signature), and the recovered address must equal the child wallet address (case-insensitive). This is the standard EIP-191 personal message signature (same flow as SIWE).
issued_at is Unix seconds. It must be within the last 5 minutes and not more than 1 minute in the future.

The signed message must be exactly (including line breaks, casing, and spacing):

Authorize parent for OpenBytes
Parent wallet: \x3CPARENT_WALLET_LOWERCASE>
Child wallet: \x3CCHILD_WALLET_LOWERCASE>
Issued at: \x3CISSUED_AT>

Normalization rules:
- \x3CPARENT_WALLET_LOWERCASE> is the parent wallet address lowercased.
- \x3CCHILD_WALLET_LOWERCASE> is the child wallet address lowercased (the signer).
- \x3CISSUED_AT> is the same Unix seconds integer you send in the request body.
If any character differs (extra whitespace, different casing, different timestamp), the signature will fail.

Pseudo-code (client-side):

const issuedAt = Math.floor(Date.now() / 1000);
const parentWallet = parentWalletAddress.toLowerCase();
const childWallet = childWalletAddress.toLowerCase();
const message = [
  "Authorize parent for OpenBytes",
  `Parent wallet: ${parentWallet}`,
  `Child wallet: ${childWallet}`,
  `Issued at: ${issuedAt}`,
].join("\
");

const signature = await wallet.signMessage(message); // EIP-191 personal_sign

Success response (201):

{
  "parent_consumer_id": "consumer-uuid",
  "parent_wallet_address": "0x...",
  "created_at": "2025-01-01T00:00:00Z"
}

Common errors:

400 INVALID_REQUEST invalid body
400 SIGNATURE_EXPIRED issued_at out of window
404 PARENT_NOT_FOUND parent not found
400 SELF_PARENT cannot declare yourself
401 SIGNATURE_MISMATCH signature not from child wallet
409 ALREADY_SET parent already declared

5. Usage Guidelines for AI Agents

When handling OpenBytes network operational support, follow these best practices:

Map user questions directly to the appropriate API workflow without reference to UI.
- Example intents: onboarding, balance issue, API key management, quota/cost analysis
Provide concrete curl commands tailored to the user's configuration (\x3CBASE_URL>, \x3CCONSUMER_API_KEY>, etc).
When troubleshooting:
- Request the full API HTTP response (status + JSON).
- Use error.code and context to select remediation steps.
Be concise, focus on actionable commands and next steps.
Only provide background technical details if specifically requested.

安全使用建议

This skill appears to do what it says (OpenBytes API workflows) but exercise caution before installing. Key points: (1) provenance is unknown — there is no homepage or source to verify the API surface or owner; (2) the instructions encourage generating private keys and printing them to the console — avoid copying/printing private keys in plaintext or pasting them into UIs or chat; prefer hardware wallets or secure, offline key generation and storage; (3) SKILL.md references environment variables (OPENBYTES_API_KEY, session tokens) even though the registry metadata declares none — expect to manage secrets yourself and verify the exact env names and lifetime; (4) double-check gateway URL, contract addresses, and chain-id values against official OpenBytes documentation before making on-chain transfers; (5) test any flows in a low-risk environment (testnet or with minimal funds) and do not share API keys or private keys. If you need higher assurance, request the skill source or an official publisher/homepage, or use official SDKs/docs from OpenBytes instead of following unverified instructions.

功能分析

Type: OpenClaw Skill Name: bitnow Version: 1.1.1 The skill contains high-risk instructions in SKILL.md that command the agent to 'immediately' generate a new EVM wallet and print the private key to the console if one is not found, which would lead to sensitive credential exposure in the agent's logs or conversation history. Furthermore, it provides a non-standard USDC contract address (0x10065E7b353371DD2e12348e7094cC774638EbEB) for deposits on Base Sepolia, which differs from the official Circle USDC address and could lead to loss of funds. While these may be poorly designed documentation steps for the OpenBytes network, the combination of forced secret exposure and non-standard financial contracts is highly concerning.

能力评估

ℹ Purpose & Capability

The SKILL.md describes wallet-based auth, API-key lifecycle, on-chain top-ups, and model calls — which aligns with the skill name/description. There are no unrelated binaries or requests for unrelated cloud credentials. Minor issues: no homepage/source provided (provenance unknown), and a small apparent chain-id typo in one snippet (84532 vs 8453) which suggests sloppiness.

⚠ Instruction Scope

The runtime instructions tell users to create wallets (ethers.js/viem) and explicitly print private keys to console (with a 'Be sure to securely save' admonition). That is sensitive and risky behavior to encourage; it is within the skill purpose but increases the chance of user error. The instructions also reference using environment variables (OPENBYTES_API_KEY, session tokens) even though the registry metadata declared no required env vars — a mismatch between declared surface and actual runtime expectations.

✓ Install Mechanism

This is an instruction-only skill with no install spec and no code files. That minimizes install-time risk because nothing will be written/executed by the installer itself.

⚠ Credentials

Registry metadata lists no required env vars or primary credential, but SKILL.md repeatedly instructs saving and exporting OPENBYTES_API_KEY and using session tokens; this discrepancy is notable. The skill also requires generation and handling of private keys (sensitive secrets) — justified by purpose but high-risk and not represented in declared environment/credential metadata.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable only. It does not attempt to modify other skills or claim persistent elevated privileges.

版本历史

v1.1.1

- Renamed skill from "bitnow" to "openbytes" throughout documentation. - Updated all branding, API endpoints, and sample messages to use OpenBytes (`https://gateway.openbytes.ai`) instead of BitNow. - Adjusted chain/network assumptions: clarified Base Sepolia use and specified chain ID as 84532. - Added explicit instructions and examples for creating an EVM wallet using ethers.js or viem. - Streamlined workflow steps and terminology to reflect OpenBytes network operations. - Updated parent/ownership signature message to reference OpenBytes.

v1.1.0

Bitnow v1.1.0 changelog: - Clarified and updated the parent/child ownership API relationship: - Signature validation now explicitly follows EIP-191, requiring normalized lowercase addresses and exact message formatting. - Changed the required signed message to reference "Authorize parent for BitNow" instead of "DePIN LLM". - Added detailed client-side pseudocode for signature creation and strict normalization rules. - Updated skill description formatting and branding to "BitNow" for consistency. - Minor language, layout, and error clarification improvements across documentation.

v1.0.0

bitnow 1.0.0 – Initial release - Introduces full API workflow documentation for Bitnow network operations, including wallet-based authentication, on-chain USDC top-up, and API key management. - Details consumer API key lifecycle: creation, listing, revocation, and parent/child relationships. - Provides usage instructions for querying models, balances, and usage metrics via HTTP endpoints. - Includes cURL-based examples for all major operations; focused on automation/debugging without UI. - Documents contract addresses and key on-chain actions specific to Base Sepolia (chain id 8453).

元数据

Slug bitnow

版本 1.1.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 3

常见问题

BitNow 是什么？

End-to-end OpenBytes network API workflows for AI agents. Covers wallet signature-based authentication, on-chain top-up monitoring, consumer API key lifecycl... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 205 次。

如何安装 BitNow？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install bitnow」即可一键安装，无需额外配置。

BitNow 是免费的吗？

是的，BitNow 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

BitNow 支持哪些平台？

BitNow 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 BitNow？

由 Jerry（@viyozc）开发并维护，当前版本 v1.1.1。

BitNow