alby-bitcoin-payments-agent-skill
Add bitcoin lightning wallet capabilities to your app using Nostr Wallet Connect (NIP-47), LNURL, and WebLN. Send and receive payments, handle payment notifications, fetch wallet balance and transaction list, do bitcoin to fiat currency conversions, query lightning addresses, conditionally settle payments (HOLD invoices), parse BOLT-11 invoices, verify payment preimages.
81
77%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./SKILL.mdSecurity
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.90). The skill's code and docs explicitly fetch and ingest untrusted public content (e.g., LightningAddress.fetch / lnurl requests in references/lightning-tools/lnurl.md and LightningAddress class in references/lightning-tools/index.d.ts, the test faucet POST to https://faucet.nwc.dev in references/automated-testing.md, and NWCClient subscribeNotifications and NWC relay interactions in references/nwc-client/*) and the agent is expected to read and act on that remote data (invoices, LNURL/metadata, notifications) which can materially influence payments and next actions.
W009: Direct money access capability detected (payment gateways, crypto, banking)
What this means
The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.
Why it was flagged
Direct money access detected (high risk: 1.00). The skill is explicitly designed for cryptocurrency payments: it exposes Bitcoin Lightning wallet capabilities and named payment protocols (Nostr Wallet Connect NIP-47, LNURL, WebLN). It includes functions to send and receive payments, conditionally settle (HOLD) invoices, fetch balances and transactions, parse BOLT-11 invoices and verify preimages — all direct mechanisms to move or authorize movement of funds. This is specific financial execution functionality (crypto payments/wallet operations), not a generic tool, so it meets the "Direct Financial Execution" criterion.
- Repository
- getAlby/alby-agent-skill
- Commit
879f90d
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.