ClawHub

Alby Bitcoin Payments Skill

v1.2.3

teaches agents how to use @getalby/cli for bitcoin lightning wallet operations using Nostr Wallet Connect (NIP-47). Use when the user needs to send/receive b...

0· 183·0 current·0 all-time
byRoland@rolznz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires walletCan make purchases
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, required binary (npx), required env var (NWC_URL), and config path (~/.alby-cli/) match a CLI that drives Alby/Nostr Wallet Connect operations. Nothing requested appears unrelated to a bitcoin/lightning wallet skill.
Instruction Scope
SKILL.md instructs the agent to invoke npx @getalby/cli commands and to supply a NWC connection secret (via NWC_URL, wallet-name, or connection file). It also includes logic for auto-paying HTTP 402 endpoints and creating/storing test wallets. This is appropriate for the stated purpose but means the agent can initiate payments; the doc advises not to print secrets but also expects the CLI to use them, so protect secrets and ensure the agent obeys spending limits.
Install Mechanism
Instruction-only skill (no install spec) that uses npx -y @getalby/cli@0.6.1 at runtime. Running packages from npm via npx is expected here but carries the usual runtime-fetch risk (remote code execution each invocation) — the skill pins a specific CLI version which reduces but does not eliminate supply-chain risk.
Credentials
Only NWC_URL (primary credential) and the ~/.alby-cli/ config path are required, which are appropriate for a wallet CLI. No unrelated credentials or broad system paths are requested.
Persistence & Privilege
always:false (not force-included), no install artifacts declared, and no instructions to modify other skills or system-wide agent settings. The skill does require access to a per-user config directory (~/.alby-cli/) which is expected for wallet storage.
Assessment
This skill is coherent for controlling an Alby/NWC Lightning wallet, but it gives an agent the ability to access connection secrets and make payments. Only install it for agents you trust. Mitigations: (1) Use a dedicated test wallet or a wallet with minimal funds for the agent. (2) Keep NWC_URL and any connection-secret files safe and do not share them. (3) Use the --max-amount flag or explicit user confirmations to cap spending when using fetch/pay commands. (4) Note that npx will fetch the @getalby/cli package at runtime — verify the package and pinned version (0.6.1) before use. (5) Do not set always:true for this skill and avoid granting it broader credentials or access to unrelated config paths.

Like a lobster shell, security has layers — review code before you run it.

latestvk971vz4q3rf8w8p1gzp2at15dx84jwjs

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐝 Clawdis
Binsnpx
EnvNWC_URL
Config~/.alby-cli/
Primary envNWC_URL

Comments