← 返回 Skills 市场
shoneanstey

Saturnzap

作者 LQWDTech · GitHub ↗ · v1.3.2 · MIT-0
linux ⚠ suspicious
100
总下载
0
收藏
0
当前安装
7
版本数
在 OpenClaw 中安装
/install saturnzap
功能描述
Non-custodial Lightning wallet for AI agents via `sz` CLI: send/receive sats, pay invoices, auto-pay HTTP 402 (L402), manage channels and liquidity. Use when...
安全使用建议
This skill appears to be what it says (a self-custodial Lightning wallet) but carries the normal risks of any wallet. Before installing: (1) only run the installer after manually reviewing the install script and verifying release artifacts (SHA256) from the referenced GitHub Releases; avoid blind curl | sh. (2) Do not put production passphrases in openclaw.json or logs — prefer a secret store or systemd EnvironmentFile (the SKILL.md recommends this). (3) Limit autonomous spend by configuring spending caps (SZ_CLI_MAX_SPEND_SATS, SZ_MCP_MAX_SPEND_SATS) and require human approval for high-value payments or disable autonomous invocation for payment actions. (4) Run the skill on an isolated, hardened host (not a multi-tenant orchestrator) since it stores seed material and can write /etc/systemd files. (5) Backup the mnemonic securely (offline) and only use the --no-mnemonic-stdout / backup-to flags to avoid exposing the seed in orchestration logs. If you cannot inspect and vet the installer and release artifacts, or you cannot enforce spending controls, treat this skill as risky and avoid installing it on hosts with valuable funds.
功能分析
Type: OpenClaw Skill Name: saturnzap Version: 1.3.2 SaturnZap is a self-custodial Lightning wallet CLI that exhibits high-risk behaviors, including the use of a 'curl | sh' installer and the installation of a systemd service for persistence (SKILL.md). It also downloads a vendored Python wheel for 'ldk-node' directly from GitHub Releases rather than a standard package registry. While the documentation is transparent about these risks and provides spending guardrails, the combination of private key management, external binary execution, and persistence mechanisms warrants a suspicious classification. No evidence of intentional malice or data exfiltration was found.
能力标签
cryptorequires-walletcan-make-purchasesrequires-sensitive-credentials
能力评估
Purpose & Capability
Name/description, required binary 'sz', and the single required env var SZ_PASSPHRASE align with a non-custodial Lightning wallet. The optional environment variables and commands in SKILL.md (pay, invoice, channels, L402 fetch) are appropriate for the stated functionality.
Instruction Scope
The SKILL.md instructs the agent to run the 'sz' CLI for wallet operations (init, pay, invoice, fetch) and to manage local state (mnemonic backup, systemd service). Those actions are within scope for a wallet. Two things to note: (1) first-time init prints the BIP39 mnemonic (it warns about this and offers flags to avoid stdout), and (2) the skill's L402 fetch and pay operations will cause network requests and may auto-pay invoices — the agent can spend funds if allowed. The SKILL.md also suggests various ways to inject the passphrase; it warns against insecure storage, but the agent/integrator must be careful not to leak the passphrase in logs or transcripts.
Install Mechanism
The README suggests installing via a one-line installer piped from raw.githubusercontent.com (curl -LsSf https://raw.githubusercontent.com/... | sh) and references a vendored ldk-node wheel from GitHub Releases. Downloading and executing a remote install script (curl|sh) is a higher-risk install pattern unless you explicitly inspect and verify the script and release artifacts (e.g., SHA256). The declared 'uv' install package is acceptable if you trust that package source, but the oneline installer is the main risk.
Credentials
Only SZ_PASSPHRASE is required and is correctly declared as the primary credential. The optional environment variables relate to caps, network, and UI behavior and are proportionate. No unrelated credentials are requested.
Persistence & Privilege
always:false (normal). The skill is user-invocable and allows autonomous invocation (platform default). Because the skill can initiate payments and install a systemd service (sz service install writes /etc/saturnzap/saturnzap.env), granting it autonomous access increases potential impact — consider policy controls or human approval for spend operations. The service install will write files under /etc and may require elevated privileges.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install saturnzap
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /saturnzap 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.3.2
SKILL setup section now leads with the one-line installer (curl ... | sh) which handles uv install + the vendored ldk-node wheel automatically. Plain 'uv tool install saturnzap' still fails on fresh hosts because ldk-node is not on PyPI.
v1.3.1
Soften OpenClaw verdict: declare optional env vars in metadata, recommend --backup-to/--no-mnemonic-stdout for agent hosts, deprioritize openclaw.json passphrase storage in favor of systemd EnvironmentFile and secret stores.
v1.3.0
SaturnZap 1.3.0 - Updated install instructions: "uv tool install" now uses the versioned GitHub Releases expanded_assets path for ldk-node wheel. - No other doc, command, or usage changes. All other content unchanged.
v1.2.3
Revert v1.2.2 VirusTotal subsection. SKILL.md content restored to the v1.2.1 wording that scored Benign.
v1.2.2
Add VirusTotal subsection to Security Model explaining the 0/70 AV result versus the LLM Code Insights 'Suspicious' label.
v1.2.1
Add Security Model section to SKILL.md explaining each capability flag (vendored wheel, mnemonic emission, passphrase storage, systemd service) and link to the repo's threat model.
v1.2.0
Initial ClawHub release. Non-custodial Lightning wallet for AI agents. MCP server, L402 auto-pay, 25 tools, CLI-first JSON output.
元数据
Slug saturnzap
版本 1.3.2
许可证 MIT-0
累计安装 0
当前安装数 0
历史版本数 7
常见问题

Saturnzap 是什么?

Non-custodial Lightning wallet for AI agents via `sz` CLI: send/receive sats, pay invoices, auto-pay HTTP 402 (L402), manage channels and liquidity. Use when... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 100 次。

如何安装 Saturnzap?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install saturnzap」即可一键安装,无需额外配置。

Saturnzap 是免费的吗?

是的,Saturnzap 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。

Saturnzap 支持哪些平台?

Saturnzap 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(linux)。

谁开发了 Saturnzap?

由 LQWDTech(@shoneanstey)开发并维护,当前版本 v1.3.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论