Lightning Agentic Commerce
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent with Lightning commerce, but it deserves review because it can direct an agent to install unreviewed payment-stack components, handle wallet secrets, and spend or lock real funds.
Only install this if you are comfortable managing Lightning funds and local wallet secrets. Review the referenced installer scripts first, start on testnet or with a small dedicated wallet, require manual approval for payments and channel operations, secure or avoid the --insecure hosting path, and make sure all started services are stopped when finished.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent following the workflow could spend, lock, or expose real funds if the user has not set strict limits and approvals.
The skill explicitly instructs financial operations: funding a wallet, opening a Lightning channel, and paying invoices. Although it shows --max-cost examples, it does not require explicit user confirmation or a global spending budget before these high-impact actions.
Send BTC to this address from an exchange or another wallet ... openchannel --node_key=<pubkey> --local_amt=1000000 ... lnget pays invoice
Require manual confirmation for wallet funding, channel opens, and every payment; use testnet or a separate low-balance wallet by default; set hard global budgets and logging.
If these local files are mishandled or read by another process, a wallet or Lightning node could be controlled and funds could be lost.
These are high-value wallet and node credentials that can control funds. The registry requirements declare no credentials or config paths, so the sensitive authority is under-declared outside the instructions.
Wallet passphrase | Stored at `~/.lnget/lnd/wallet-password.txt` (0600) ... Seed mnemonic | Stored at `~/.lnget/lnd/seed.txt` (0600) ... lnd macaroons | Standard lnd paths
Use a dedicated low-value wallet, prefer watch-only or remote-signer setups for meaningful funds, protect and back up secrets carefully, and declare credential/config paths in metadata.
A user or agent may run unreviewed installers with access to a payment environment and local secrets.
The supplied artifact set has no install spec and no code files, but the workflow depends on running installer scripts for a financial stack. Their contents, source, and pinning are not available for review.
skills/lnd/scripts/install.sh ... skills/lnget/scripts/install.sh ... skills/aperture/scripts/install.sh
Include the referenced scripts in the reviewed package, pin official release sources and checksums, and require user approval before running installers.
Data intended to be sold behind the paywall could be exposed directly or protected with weaker transport/security settings.
The seller setup uses an insecure aperture configuration and starts a backend HTTP server without guidance to bind it to localhost or firewall it, which can undermine the intended paid-access boundary.
skills/aperture/scripts/setup.sh --port 8081 --insecure ... cd /tmp/api-data && python3 -m http.server 8080 &
Explain exactly what --insecure disables, default to secure TLS settings, bind the backend to localhost, and document firewall requirements before exposing endpoints.
A local web server could keep serving files or exposing data after the commerce stack is supposedly shut down.
The instructions start a background HTTP server, but the cleanup section only stops aperture and lnd. The backend process may continue running after the user believes everything was stopped.
cd /tmp/api-data && python3 -m http.server 8080 & ... Stopping Everything ... skills/aperture/scripts/stop.sh ... skills/lnd/scripts/stop-lnd.sh
Track and stop all background processes, include a backend stop command, and prefer managed services with explicit lifecycle controls.
Anyone with access to the token directory might reuse tokens or inspect what paid resources were accessed.
Persistent L402 tokens are expected for this workflow, but they may represent paid access and reveal purchase history or reusable access state.
L402 tokens | Stored at `~/.lnget/tokens/<domain>/` per domain
Protect the token directory, clear tokens when no longer needed, and avoid sharing logs or archives that include these files.