Orange Wallet
v0.1.0Command-line Lightning wallet for AI agents with graduated custody, enabling instant trusted payments and self-custodial channels via JSON shell commands.
⭐ 0· 103·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description, README, SKILL.md, and source code all implement a CLI Lightning wallet (daemon, receive/send, events, webhooks, seed storage, chain source and LSP config). The requested things (disk storage, optional chain RPC creds, optional LSP token) match the wallet purpose.
Instruction Scope
Runtime instructions stay within the wallet domain (build with Rust, run daemon, configure storage/chain/LSP, webhooks or polling). Two points to be aware of: (1) the daemon writes a wallet seed to disk (~/.orange/seed by default) and prints the path — protect and back this up; (2) webhook behavior marks events handled even if delivery ultimately fails after retries, which can cause missed notifications; otherwise instructions do not ask the agent to read unrelated files or secrets.
Install Mechanism
The skill bundle is instruction-only in the registry but includes full Rust source and a Cargo.toml that pulls orange-sdk from a GitHub repo at a fixed revision. Building requires running rustup (the SKILL.md recommends the standard curl | sh installer) and protoc. This is typical but implies a supply-chain fetch of external Rust dependencies (git crates) at build time — review the referred orange-sdk repository and pinned revision if you need higher assurance.
Credentials
The registry declares no required environment variables. The config file can contain chain RPC credentials (username/password) and an optional LSP token — these are expected for a wallet. No unrelated credentials or system secrets are requested by the skill or seen in the code.
Persistence & Privilege
always is false and the skill does not request persistent/privileged platform presence. It creates and uses its own storage path and files (seed, SQLite DB, logs) under the configured storage_path but does not modify other skills or global agent settings.
Assessment
This appears to be a legitimate CLI Lightning wallet implementation, but exercise caution before running with real funds: 1) Backup and protect the wallet seed file written to storage_path (the only recovery method). 2) Review or build from the included source and audit the orange-sdk GitHub dependency (Cargo.toml points to a git repo at a specific rev) to reduce supply-chain risk. 3) The SKILL.md suggests running the standard rustup install script (curl | sh) and cloning a remote repo; if you prefer, build from the code bundled with the skill instead of re-cloning an external repository. 4) Check and replace example defaults — the example config points to a specific LSP IP and node; if you don't control that LSP, funds/operations may involve a third party. 5) Note webhook semantics: events are marked handled even after webhook delivery failures, which can lead to missed notifications; design your integration with that behavior in mind. 6) Because this is labeled alpha, avoid using large sums until you have audited the code and the SDK dependency.Like a lobster shell, security has layers — review code before you run it.
latestvk974psxe3x1cwqp5tqgp6m02pd832e80
License
MIT-0
Free to use, modify, and redistribute. No attribution required.