ClawHub

lnget: like wget but for L402 on the web

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate Lightning paywall client, but it can spend real Lightning funds and use local node credentials, so it needs careful review before installation.

Install only if you intentionally want an agent-accessible Lightning HTTP client. Pin a reviewed lnget version where possible, use --no-pay to inspect costs first, set low --max-cost and --max-fee limits, avoid using an admin.macaroon when a least-privilege credential will work, and protect or periodically clear ~/.lnget tokens and LNC sessions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes automatic Lightning invoice payment and storage of paid L402 tokens, but does not warn users that running the documented commands can spend real funds and create reusable authentication artifacts on disk. In an agent context, that omission is security-relevant because operators may treat example commands as low-risk documentation when they actually authorize payments and persist sensitive state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The quick-start flow tells users to run `lnget config init`, described as auto-detecting local lnd, without warning that this may discover and use local wallet connection details and macaroon-based credentials. In an agent or automation environment, that can lead to unanticipated access to a real Lightning node and subsequent automated spending.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation identifies token and session storage paths but does not state that these directories may contain reusable authentication or payment state. On multi-user systems or poorly secured environments, exposure of these files could enable replay or unauthorized use of cached L402 tokens or Lightning sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal