Lnd

Security checks across malware telemetry and agentic risk

Overview

The skill has a legitimate Lightning-node purpose, but it exposes and handles high-impact wallet/signing capabilities with a few under-scoped safety controls that deserve review before installation.

Install only if you understand Lightning node operations. Keep the default on testnet until verified, avoid mainnet funds unless ports are firewalled or bound to localhost, use least-privilege macaroons instead of admin macaroons, only import credential bundles from a trusted signer, and do not run cleanup with volume removal unless wallet/channel recovery is fully backed up.

SkillSpector

By NVIDIA

Vulnerability Patterns

Behavioral ASTexec() Call, eval() Call, Dynamic Import
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documented `stop-lnd.sh --clean` command removes volumes, which for a Lightning node can delete wallet state, channel data, and other persistent node data. Because the command is presented without an immediate, explicit data-loss warning, users may destroy funds access or operational state unintentionally.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The payment example shows `sendpayment` without an adjacent warning that it can spend real funds if the node is connected to mainnet. In the context of a Lightning node management skill, normalizing spend-capable commands without clear fund-risk labeling increases the chance of accidental payment execution.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The script constructs a shell command in a string and executes it with eval, while parts of that command are influenced by user-controlled inputs such as mode-dependent values and earlier argument handling. Using eval causes the shell to re-parse the string, so crafted input can break out of the intended command structure and achieve arbitrary command execution on the host running the skill.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The signer REST API is explicitly published to the host, and the file comments note that this endpoint is used for wallet creation. In a watch-only/remote-signer architecture, exposing wallet-management functionality outside the internal Docker network increases the attack surface for highly sensitive operations and can enable unauthorized wallet initialization or administrative access if additional protections are misconfigured or absent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal