← 返回 Skills 市场

Self-hosted Crypto Payment

Name: Self-hosted Crypto Payment
Author: flacko2048

作者 Flacko2048 · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

116

总下载

当前安装

版本数

在 OpenClaw 中安装

/install self-hosted-crypto

功能描述

Add self-custodied crypto payment checkout to a Next.js + Supabase app. Accepts ETH, BTC, SOL, USDC, USDT and 25+ coins across 9 chains. No payment processor...

安全使用建议

Key points to review before installing: - This is true self-custody: CRYPTO_MASTER_MNEMONIC controls all derived deposit wallets. If compromised you lose funds. Use a secure secrets manager (Vercel/AWS/etc.), not a checked-in .env file. Prefer a dedicated hot wallet with minimal funds for day-to-day payments; consider a multisig or sweep strategy for long-term storage. - The skill's registry metadata omitted required env vars. Do not trust the registry summary — follow SKILL.md and the code which require CRYPTO_MASTER_MNEMONIC and CRON_SECRET. - Ensure CRON_SECRET is strong and stored in hosting cron config so the cron request includes Authorization: Bearer <CRON_SECRET>. Confirm timingSafeEqual usage is actually comparing fixed-length buffers (the code does this), but test cron auth in a staging environment. - The skill assumes you have a working server-side Supabase service client helper; verify your service role keys and RLS policies are correct and no mnemonic or private keys are exposed to client bundles. Do not import crypto-wallets.ts into client code. - Audit the copied server files (resources/*.ts) yourself before deploying, and test on testnets first. Verify the RPC endpoints hard-coded in the code are acceptable for your needs (they are public RPC endpoints) and consider replacing with paid/private RPC providers if you need higher reliability. - Consider operational risks: address reuse prevention, DB backups, expiry windows, edge cases for token decimals and chain reorganizations, and legal/compliance implications of accepting crypto in your jurisdiction. - If you want stronger assurance, ask the publisher for provenance (homepage, source repo) and a security review; lack of a homepage/source in the registry metadata reduces traceability.

功能分析

Type: OpenClaw Skill Name: self-hosted-crypto Version: 1.0.1 The skill bundle provides a comprehensive and well-documented implementation for a self-hosted crypto payment gateway using HD wallet derivation (EVM, BTC, SOL). While it handles a highly sensitive secret (CRYPTO_MASTER_MNEMONIC), the code follows security best practices, such as performing all derivation server-side, using timing-safe comparisons for authentication (timingSafeEqual in check-crypto-payments-route.ts), and implementing database-level protections like Row Level Security (RLS) and unique constraints to prevent address reuse. The external network calls are limited to standard public blockchain RPCs and price APIs (CoinGecko, Mempool.space), and the documentation includes explicit security advisories regarding mnemonic management.

能力标签

cryptorequires-walletcan-make-purchases

能力评估

ℹ Purpose & Capability

The skill's code and SKILL.md align with the stated purpose: it derives HD wallet addresses (EVM/BTC/SOL), creates pending payment records, polls blockchains, and applies payments. Requiring a master mnemonic (CRYPTO_MASTER_MNEMONIC) and a cron secret is consistent with self-custodied payments. However, the registry metadata lists "Required env vars: none" while SKILL.md and the code explicitly require CRYPTO_MASTER_MNEMONIC and CRON_SECRET; that metadata omission is an inconsistency you should not ignore.

✓ Instruction Scope

SKILL.md is explicit: copy server-side files into Next.js routes, install listed npm deps, add CRYPTO_MASTER_MNEMONIC and CRON_SECRET, and configure a cron to hit the protected endpoint. The instructions restrict mnemonic to server-side and explicitly warn not to import wallet code into client components. The instructions do ask the agent to read/write project files (copy templates), which matches allowed-tools and the skill's purpose.

✓ Install Mechanism

There is no automated install spec (instruction-only). The SKILL.md instructs installing standard npm packages (ethers, @scure/*, @solana/web3.js, qrcode). These are expected and proportionate. No arbitrary binary downloads or remote archives are used by the skill itself.

⚠ Credentials

The code and SKILL.md require two sensitive environment values: CRYPTO_MASTER_MNEMONIC (BIP39 mnemonic controlling all derived deposit addresses) and CRON_SECRET (protecting cron endpoint). Those are proportionate to the functionality but extremely high-value secrets. The registry metadata incorrectly reported 'none' for required env vars — a potentially dangerous omission. Also the skill relies on your Supabase server-side client configuration (service role/keys) but does not explicitly list any Supabase service role env vars; ensure your existing server helpers are already correctly configured.

✓ Persistence & Privilege

The skill does not request always:true and is user-invocable. It requires file read/write/edit permissions to copy templates into your repo — that's expected for a code scaffolding skill. It does not attempt to modify other skills or system-wide agent configuration. No persistent autonomous privileges beyond normal skill behavior are requested.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install self-hosted-crypto
安装完成后，直接呼叫该 Skill 的名称或使用 /self-hosted-crypto 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.1

- Added explicit environment variable requirements for `CRYPTO_MASTER_MNEMONIC` and `CRON_SECRET` in the skill manifest. - Updated installation instructions to include `qrcode` and `@types/qrcode` as required dependencies. - No code changes; documentation and setup process are now more precise for easier onboarding and configuration.

v1.0.0

Self-hosted crypto payments for Next.js + Supabase apps — complete, no third-party required. - Adds production-ready, self-custodied crypto checkout supporting 25+ coins across 9 blockchains (ETH, BTC, SOL, USDC, USDT, and more). - No payment processor fees; all addresses derived and managed in-app using a single mnemonic (HD wallet). - Implements on-chain polling via a cron job to securely confirm payments (no reliance on webhooks). - Modular checkout handles credits, plan changes, and resource add-ons—with server-side pricing enforced. - Includes setup docs, ready-to-copy API/routes/components, and security notes for fast integration. - Fully customisable: supported coins, fulfillment logic, payment window, and more.

元数据

Slug self-hosted-crypto

版本 1.0.1

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Self-hosted Crypto Payment 是什么？

Add self-custodied crypto payment checkout to a Next.js + Supabase app. Accepts ETH, BTC, SOL, USDC, USDT and 25+ coins across 9 chains. No payment processor... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 116 次。

如何安装 Self-hosted Crypto Payment？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install self-hosted-crypto」即可一键安装，无需额外配置。

Self-hosted Crypto Payment 是免费的吗？

是的，Self-hosted Crypto Payment 完全免费，采用 MIT-0 许可证，可自由下载、安装和使用。

Self-hosted Crypto Payment 支持哪些平台？

Self-hosted Crypto Payment 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Self-hosted Crypto Payment？

由 Flacko2048（@flacko2048）开发并维护，当前版本 v1.0.1。