aperture: the L402 aware reverse proxy
PassAudited by ClawScan on May 10, 2026.
Overview
This skill appears purpose-aligned, but it installs and runs a local payment proxy that uses Lightning node invoice credentials and can keep running in the background.
Install this only if you intend to run an Aperture L402 payment proxy. Pin the Aperture version if needed, use regtest/testnet first, use an invoice-only macaroon, review the generated ~/.aperture/aperture.yaml for ports/TLS/auth settings, and stop the background service when you are done.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Aperture may use your Lightning node's invoice macaroon to create invoices; this is expected, but it is still account/payment-related authority.
The generated Aperture configuration points to local LND TLS and macaroon locations so Aperture can create invoices for L402 challenges.
LND_TLS="$HOME/.lnd/tls.cert" ... LND_MACDIR="$HOME/.lnd/data/chain/bitcoin/$NETWORK" ... macdir: "$LND_MACDIR"
Use an invoice-only macaroon, avoid admin macaroons, test on regtest/testnet first, and review ~/.aperture/aperture.yaml before starting the proxy.
You are trusting the current upstream Aperture module at install time, which may change over time.
The installer downloads and builds an external Go module, defaulting to the latest version unless the user pins one.
VERSION="${VERSION:-@latest}" ... go install "github.com/lightninglabs/aperture/cmd/aperture${VERSION}"Pin a known Aperture version with --version when reproducibility matters, and install only if you trust the Lightning Labs Aperture source.
The proxy can continue running after the initiating shell command finishes, accepting requests according to its configuration.
The start script launches Aperture as a background process rather than only running it in the foreground.
nohup aperture --configfile="$CONFIG_FILE" \
> "$LOG_FILE" 2>&1 &Use --foreground for temporary testing, check the log file, and run scripts/aperture/stop.sh or otherwise stop the process when finished.
If you have another Aperture instance running, this stop command may terminate it too.
The stop script finds processes by the executable name 'aperture' and terminates them, rather than tracking only a PID started by this skill.
APERTURE_PID=$(pgrep -x aperture 2>/dev/null || true) ... kill "$APERTURE_PID"
Confirm which Aperture process is running before stopping it, especially on hosts with multiple Aperture deployments.