Skillv1.0.0

ClawScan security

Lightning Agentic Commerce · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:46 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The instructions describe a plausible Lightning-network commerce workflow, but the skill's metadata and packaging don't match what the runtime steps require and the instructions ask the agent to create and store sensitive wallet secrets insecurely — review before use.
Guidance: Do not run this skill blindly. Key points to check before installing or executing: 1) Confirm origin — this skill has no homepage and no bundled scripts; obtain and audit the referenced scripts (skills/lnd/..., skills/lnget/..., skills/aperture/...) from a trusted source. 2) Verify binaries and dependencies are present and come from official releases (lnd, lncli, lnget, aperture, python3, jq). The metadata should declare these; if not, treat that as incomplete. 3) Audit any install/start scripts for remote downloads, shell-exec, or commands that write secrets to disk or exfiltrate data. 4) Never use real funds until you fully understand and trust the code — test in a sandboxed testnet environment and consider watch-only or remote signer setups. 5) Do not accept plaintext seed/passphrase storage as shown; use secure key management if you will hold real funds. 6) Be cautious about running services with --insecure or exposing ports publicly. 7) If you are not comfortable auditing scripts yourself, decline or require the skill author to provide a verifiable release (source + checksums) and explicit declared dependencies and credential requirements.

Review Dimensions

Purpose & Capability: concernThe SKILL.md claims to install and run lnd, lnget, and aperture and to perform wallet operations and payments, but the skill metadata declares no required binaries, env vars, or config paths. The instructions reference many external components and local scripts (skills/lnd/scripts/*.sh, skills/lnget/scripts/*.sh, skills/aperture/scripts/*.sh) that are not included or declared — this mismatch suggests the metadata is incomplete or the skill assumes other skills/files exist.
Instruction Scope: concernThe runtime instructions direct the agent to perform privileged, state-changing operations: install services, create encrypted wallets, write seed and passphrase files to disk, open Lightning channels, connect to external nodes, and start network-exposed services. They also recommend insecure flags (e.g., aperture --insecure) and explicitly point to plaintext storage of seed and passphrase under ~/.lnget; these are within the stated purpose but expand the agent's scope to managing secrets and performing irreversible financial operations — both high-impact actions that must be audited before execution.
Install Mechanism: noteThere is no install specification (instruction-only), which is low risk from an installer perspective. However, the SKILL.md calls local install/start scripts that are not provided with the skill; if those scripts are expected from external skills or a repository, that dependency is not declared here and could cause the agent to attempt to run missing/untrusted commands or search for/install components from unknown sources.
Credentials: concernThe skill requests no environment variables or config paths in metadata, yet the instructions reference sensitive local files (seed, wallet passphrase, lnd macaroons, aperture DB, lnget tokens). Storing seeds and passphrases in plaintext files (even with 0600) and interacting with macaroons are sensitive actions; the lack of declared credential/config requirements is inconsistent and hides the true credential footprint.
Persistence & Privilege: notealways is false and model invocation is allowed (default). Autonomous invocation plus the skill's instructions would permit an agent to create wallets and initiate payments without immediate user intervention — this is expected for agentic commerce but increases risk in combination with the other concerns (missing origin, undeclared dependencies, secret handling).