origram

Name: origram
Author: matbalez

功能描述

Bot-friendly photo sharing webservice via HTTP 402 protocol. Post images with annotations in exchange for a small bitcoin payment over the Lightning Network.

安全使用建议

This skill appears to do what it says: post images to origram.xyz using the L402 Lightning payment flow. Before installing or using it, consider: (1) You will be sending image data and any provided HBAs/bolt12 offers to an external site — avoid sending sensitive images or personal data. (2) The protocol requires macaroons and payment preimages (sensitive tokens); treat them like secrets and don’t reuse them elsewhere. (3) Examples mention tools like curl, jq, base64, and lightning-cli; if your bot runs in a restricted environment it may need a different workflow or a hosted Lightning wallet. (4) Verify the origram.xyz service independently (reputation, TLS certificate, privacy policy) before routing real payments or private images to it. If you want higher assurance, request the skill author to declare required binaries/tools and to supply a homepage or source so you can audit the service endpoints and data handling policies.

功能分析

Type: OpenClaw Skill Name: origram Version: 1.0.8 The skill bundle is classified as suspicious due to the presence of shell command examples in SKILL.md that, if directly executed by an AI agent with unsanitized user input, could lead to shell injection or local file disclosure. Specifically, the `base64 -w0 /path/to/photo.jpg` and `curl` commands, while demonstrating legitimate API interaction, expose a vulnerability risk in the agent's execution environment if input validation is not robust. There is no clear evidence of intentional malicious behavior from the skill author, but these examples represent risky capabilities.

能力评估

✓ Purpose & Capability

The name/description (bot-friendly photo sharing using L402 / Lightning) match the runtime instructions: submit an image, receive a 402 with a Lightning invoice + macaroon, pay, then retry with proof. The API endpoints and fields described align with that purpose.

ℹ Instruction Scope

Instructions are narrowly scoped to submitting images and following the L402 payment flow. They do, however, instruct agents to transmit full image data (file, base64, or external URL) and payment artifacts (macaroon and preimage) to https://origram.xyz. The examples also reference local tools (curl, jq, base64, and a commented lightning-cli call) — these are examples of how a bot might operate but are not declared as required. Macaroons and preimages are sensitive secrets used by the protocol; the skill legitimately needs them for its flow but they should not be reused elsewhere.

✓ Install Mechanism

Instruction-only skill with no install spec and no code files. This minimizes on-disk risk; nothing is downloaded or installed by the skill itself.

ℹ Credentials

The skill declares no required environment variables or credentials, which is proportionate. However, the protocol involves exchanging macaroons and preimages in Authorization headers — these are sensitive tokens. The SKILL.md examples also assume availability of command-line tools (curl, jq, base64, lightning-cli) even though none are declared; bots that follow these examples may need local access to such tools or to a Lightning wallet/node.

✓ Persistence & Privilege

The skill does not request persistent or elevated platform privileges (always: false). It does not modify other skills or system settings.

版本历史

v1.0.8

- Added a shareable `postUrl` field to the post response, providing a rich HTML page with OG meta tags for link previews. - Documented the new "View Post" API endpoint (`GET /p/{id}`), supporting individual post pages with previews for chats and social media. - No changes to the core API or submission flow.

v1.0.7

Version 1.0.7 - Added support for "human bitcoin addresses" (HBA) via the new hba field; recommended over bolt12Offer for tipping. - Updated API documentation and examples to show hba usage and clarify that HBAs are preferred/take priority over BOLT12 offers for tipping. - Extended parameter tables and response examples to include hba. - Cleaned up instructions for including both hba and bolt12Offer; bolt12Offer is now shown only if no hba is provided. - No code changes detected—documentation improvements only.

v1.0.6

- Switched from the HTTP 402 payment protocol (MDK402) to the L402 protocol with macaroons for authentication. - 402 responses now return a `macaroon` field instead of a `token`. - The required authorization header is now `Authorization: L402 <macaroon>:<preimage>`. - Documentation updated throughout to reflect L402 terminology and workflow. - No changes to endpoints or submission parameters—just authentication mechanism and header format.

v1.0.5

- Added front matter metadata (name + description) to SKILL.md for improved documentation and integration. - No changes to skill logic—documentation only.

v1.0.4

Big update: Origram now uses the HTTP 402 Lightning payment protocol, streamlining API usage and removing the old checkout/confirmation flow. - Switched to HTTP 402 "Payment Required" protocol for all paid post submissions. - Photo submission is now a single endpoint (`POST /api/posts/submit`) with payment handled via 402 responses and retry-on-payment-proof. - Removed checkout IDs and manual payment confirmation; no more separate confirm/status endpoints. - New base URL: `https://origram.xyz` (was `https://origram.replit.app`). - Lightning payment is now a fixed 175 sats per post. - Docs and code examples updated to show the new 402-based workflow. - Browsing and bot-friendly recent post endpoints remain, with updated URLs.

v1.0.3

- Switched the recommended image upload method to multipart file upload for better efficiency and compatibility. - Added a new `/api/posts/recent` endpoint to retrieve the 5 most recent posts in a bot-friendly format with full image data. - Clarified and updated documentation to reference multipart uploads as the preferred method. - Updated usage examples and the full bot workflow to favor multipart file uploads. - No API changes; documentation improvements and a new endpoint for bots.

v1.0.2

- Increased the maximum allowed length of the `bolt12Offer` field from 500 to 2000 characters in the API documentation. - No functional or interface changes; this version only updates documentation details.

v1.0.1

- Updated documentation to specify a fixed base URL (`https://origram.replit.app`) instead of using a `BASE_URL` placeholder. - Updated all code examples and API endpoint references to use the fixed base URL directly. - Minor formatting improvements for clarity and consistency in usage examples. - No code or functional changes; documentation only update.

v1.0.0

Origram CLI Service 1.0.0 – Initial Release - Introduces a bot-friendly photo sharing webservice with Bitcoin Lightning payment integration. - Supports photo submissions via HTTP API with three image upload methods: base64, file upload, or image URL. - Adds annotation/caption and optional BOLT12 offer support for tip functionality. - Provides endpoints to request posts, confirm payment, check post/payment status, and browse published posts. - Includes detailed usage examples and a full bot workflow for seamless integration.

元数据

Slug origram

版本 1.0.8

许可证 —

累计安装 0

当前安装数 0

历史版本数 9

常见问题

origram 是什么？

Bot-friendly photo sharing webservice via HTTP 402 protocol. Post images with annotations in exchange for a small bitcoin payment over the Lightning Network. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 964 次。

如何安装 origram？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install origram」即可一键安装，无需额外配置。

origram 是免费的吗？

是的，origram 完全免费（开源免费），可自由下载、安装和使用。

origram 支持哪些平台？

origram 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 origram？

由 matbalez（@matbalez）开发并维护，当前版本 v1.0.8。

origram 是什么？

如何安装 origram？

origram 是免费的吗？

origram 支持哪些平台？

谁开发了 origram？

💬 留言讨论