← 返回 Skills 市场
SatsRail MCP — Bitcoin Lightning Payments for AI Agents
作者
Ruby Tuesday
· GitHub ↗
· v1.0.0
386
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install satsrail-mcp
功能描述
Enable AI agents to create Bitcoin Lightning payment orders, generate invoices, check payment status, and manage payments via natural language with SatsRail...
安全使用建议
This skill appears to do what it claims (Lightning payments through SatsRail) but contains important inconsistencies and a runtime install behavior you should consider before enabling it. Before installing: (1) Verify the satsrail-mcp npm package and the linked GitHub repo — review source and recent maintainer activity; (2) Use a test API key (sk_test_...) and restrict permissions if possible; (3) Expect that npx/npm must be available in the runtime environment — the metadata should have declared that; (4) Prefer explicitly installing and auditing the npm package ahead of giving the agent a live key rather than allowing automatic npx downloads at runtime; (5) Run the integration in an isolated or monitored environment and check logs/network egress for unexpected behavior; (6) Ask the publisher/registry owner to update the metadata to declare SATSRAIL_API_KEY and the npx/npm dependency so you can make an informed risk decision.
功能分析
Type: OpenClaw Skill
Name: satsrail-mcp
Version: 1.0.0
The skill bundle is classified as suspicious due to the use of `npx -y satsrail-mcp` in the `SKILL.md` configuration instructions. This command downloads and executes an external npm package without explicit user confirmation, introducing a significant supply chain vulnerability. If the `satsrail-mcp` package on npm were compromised, this could lead to Remote Code Execution (RCE) on the host system. While this is a critical risk, there is no direct evidence of malicious intent within the provided files, but rather a risky execution method that allows for potential exploitation.
能力评估
Purpose & Capability
The described capabilities (create orders, generate bolt11 invoices, check payment status) are coherent with a SatsRail Lightning integration. However, the registry metadata claims no required environment variables or binaries while the SKILL.md explicitly instructs the operator to provide a SATSRAIL_API_KEY and to invoke npx (npx/npm) to run the satsrail-mcp package. That mismatch (undeclared secret and undeclared runtime dependency) is an inconsistency.
Instruction Scope
The instructions stay focused on integrating an MCP server with SatsRail: configuring an MCP server entry, providing an API key in the server env, and invoking the satsrail-mcp npm package. The SKILL.md does not instruct the agent to read unrelated files or exfiltrate other system secrets. It does, however, instruct the environment to execute code fetched from npm at runtime (via npx), which increases the scope of what will run.
Install Mechanism
There is no install spec in the registry metadata, but the SKILL.md example uses 'npx -y satsrail-mcp' — this implies runtime download and execution of an npm package. Fetching and executing code from npm at runtime is a moderate-to-high risk if you haven't audited the package source. The SKILL.md points to GitHub and npm pages (helpful), but the package install/execute behavior should have been declared explicitly in the metadata.
Credentials
Registry metadata lists no required env vars, yet SKILL.md requires a SATSRAIL_API_KEY (sk_live_... / sk_test_...) to operate. Requesting one service-specific API key is reasonable for a payments integration, but the omission in metadata is a red flag. The skill does not request unrelated credentials, which is good; the issue is the missing declaration of a required secret and guidance about its scope/permissions.
Persistence & Privilege
The skill does not request always:true and is user-invocable only; model invocation is allowed (the platform default). The skill does not declare or request system-wide config changes beyond adding an MCP server entry with the API key — that is expected for this integration. No evidence of the skill modifying other skills or system-wide settings.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install satsrail-mcp - 安装完成后,直接呼叫该 Skill 的名称或使用
/satsrail-mcp触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.0
Initial release — Bitcoin Lightning payments for any MCP-compatible AI agent
元数据
常见问题
SatsRail MCP — Bitcoin Lightning Payments for AI Agents 是什么?
Enable AI agents to create Bitcoin Lightning payment orders, generate invoices, check payment status, and manage payments via natural language with SatsRail... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 386 次。
如何安装 SatsRail MCP — Bitcoin Lightning Payments for AI Agents?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install satsrail-mcp」即可一键安装,无需额外配置。
SatsRail MCP — Bitcoin Lightning Payments for AI Agents 是免费的吗?
是的,SatsRail MCP — Bitcoin Lightning Payments for AI Agents 完全免费(开源免费),可自由下载、安装和使用。
SatsRail MCP — Bitcoin Lightning Payments for AI Agents 支持哪些平台?
SatsRail MCP — Bitcoin Lightning Payments for AI Agents 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 SatsRail MCP — Bitcoin Lightning Payments for AI Agents?
由 Ruby Tuesday(@rubytuess)开发并维护,当前版本 v1.0.0。
推荐 Skills