Lightning Agentic Commerce

End-to-end agentic commerce workflow using Lightning Network. Use when an agent needs to set up a full payment stack (lnd + lnget + aperture), buy or sell data via L402, or enable agent-to-agent micropayments.

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 0 · 831 · 0 current installs · 0 all-time installs

by@Roasbeef

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md claims to install and run lnd, lnget, and aperture and to perform wallet operations and payments, but the skill metadata declares no required binaries, env vars, or config paths. The instructions reference many external components and local scripts (skills/lnd/scripts/*.sh, skills/lnget/scripts/*.sh, skills/aperture/scripts/*.sh) that are not included or declared — this mismatch suggests the metadata is incomplete or the skill assumes other skills/files exist.

Instruction Scope

The runtime instructions direct the agent to perform privileged, state-changing operations: install services, create encrypted wallets, write seed and passphrase files to disk, open Lightning channels, connect to external nodes, and start network-exposed services. They also recommend insecure flags (e.g., aperture --insecure) and explicitly point to plaintext storage of seed and passphrase under ~/.lnget; these are within the stated purpose but expand the agent's scope to managing secrets and performing irreversible financial operations — both high-impact actions that must be audited before execution.

ℹ

Install Mechanism

There is no install specification (instruction-only), which is low risk from an installer perspective. However, the SKILL.md calls local install/start scripts that are not provided with the skill; if those scripts are expected from external skills or a repository, that dependency is not declared here and could cause the agent to attempt to run missing/untrusted commands or search for/install components from unknown sources.

Credentials

The skill requests no environment variables or config paths in metadata, yet the instructions reference sensitive local files (seed, wallet passphrase, lnd macaroons, aperture DB, lnget tokens). Storing seeds and passphrases in plaintext files (even with 0600) and interacting with macaroons are sensitive actions; the lack of declared credential/config requirements is inconsistent and hides the true credential footprint.

ℹ

Persistence & Privilege

always is false and model invocation is allowed (default). Autonomous invocation plus the skill's instructions would permit an agent to create wallets and initiate payments without immediate user intervention — this is expected for agentic commerce but increases risk in combination with the other concerns (missing origin, undeclared dependencies, secret handling).

What to consider before installing

Do not run this skill blindly. Key points to check before installing or executing: 1) Confirm origin — this skill has no homepage and no bundled scripts; obtain and audit the referenced scripts (skills/lnd/..., skills/lnget/..., skills/aperture/...) from a trusted source. 2) Verify binaries and dependencies are present and come from official releases (lnd, lncli, lnget, aperture, python3, jq). The metadata should declare these; if not, treat that as incomplete. 3) Audit any install/start scripts for remote downloads, shell-exec, or commands that write secrets to disk or exfiltrate data. 4) Never use real funds until you fully understand and trust the code — test in a sandboxed testnet environment and consider watch-only or remote signer setups. 5) Do not accept plaintext seed/passphrase storage as shown; use secure key management if you will hold real funds. 6) Be cautious about running services with --insecure or exposing ports publicly. 7) If you are not comfortable auditing scripts yourself, decline or require the skill author to provide a verifiable release (source + checksums) and explicit declared dependencies and credential requirements.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0

Download zip

latestvk977f7exyskr4fw63eh0xhhrf180y79y

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Agentic Commerce Toolkit

This plugin provides a complete toolkit for agent-driven Lightning Network commerce. Three skills work together to enable agents to send and receive micropayments over the Lightning Network using the L402 protocol.

Components

Skill	Purpose
lnd	Run Lightning Terminal (litd: lnd + loop + pool + tapd)
lnget	Fetch L402-protected resources (pay for data)
aperture	Host paid API endpoints (sell data)

Full Setup Workflow

Step 1: Install All Components

# Install litd (Lightning Terminal — bundles lnd + loop + pool + tapd)
skills/lnd/scripts/install.sh

# Install lnget (Lightning HTTP client)
skills/lnget/scripts/install.sh

# Install aperture (L402 reverse proxy)
skills/aperture/scripts/install.sh

Step 2: Set Up the Lightning Node

# Start litd container (testnet by default)
skills/lnd/scripts/start-lnd.sh

# Create an encrypted wallet
skills/lnd/scripts/create-wallet.sh --mode standalone

# Verify node is running
skills/lnd/scripts/lncli.sh getinfo

Step 3: Fund the Wallet

# Generate a Bitcoin address
skills/lnd/scripts/lncli.sh newaddress p2tr

# Send BTC to this address from an exchange or another wallet

# Verify balance
skills/lnd/scripts/lncli.sh walletbalance

Step 4: Open a Channel

# Connect to a well-connected node (e.g., ACINQ, Bitfinex)
skills/lnd/scripts/lncli.sh connect <pubkey>@<host>:9735

# Open a channel
skills/lnd/scripts/lncli.sh openchannel --node_key=<pubkey> --local_amt=1000000

# Wait for channel to confirm (6 blocks)
skills/lnd/scripts/lncli.sh listchannels

Step 5: Configure lnget

# Initialize lnget config (auto-detects local lnd)
lnget config init

# Verify connection
lnget ln status

Step 6: Fetch Paid Resources

# Fetch an L402-protected resource
lnget --max-cost 1000 https://api.example.com/paid-data

# Preview without paying
lnget --no-pay https://api.example.com/paid-data

# Check cached tokens
lnget tokens list

Step 7: Host Paid Endpoints (Optional)

# Start your backend service
python3 -m http.server 8080 &

# Configure aperture to protect it
skills/aperture/scripts/setup.sh --insecure --port 8081

# Start the L402 paywall
skills/aperture/scripts/start.sh

# Other agents can now pay to access your endpoints
# lnget --max-cost 100 https://your-host:8081/api/data

Agent-to-Agent Commerce

The full loop for autonomous agent commerce:

Agent A (buyer)                    Agent B (seller)
─────────────                      ─────────────
lnd node running                   lnd node running
  ↓                                  ↓
lnget fetches URL ──────────────→ aperture receives request
                                     ↓
                                   Returns 402 + invoice
  ↓
lnget pays invoice ─────────────→ lnd receives payment
  ↓                                  ↓
lnget retries with token ───────→ aperture validates token
                                     ↓
                                   Proxies to backend
  ↓                                  ↓
Agent A receives data ←──────────  Backend returns data

Buyer Agent Setup

# One-time setup
skills/lnd/scripts/install.sh
skills/lnget/scripts/install.sh
skills/lnd/scripts/start-lnd.sh
skills/lnd/scripts/create-wallet.sh --mode standalone
lnget config init

# Fund wallet and open channels (one-time)
skills/lnd/scripts/lncli.sh newaddress p2tr
# ... send BTC ...
skills/lnd/scripts/lncli.sh openchannel --node_key=<pubkey> --local_amt=500000

# Ongoing: fetch paid resources
lnget --max-cost 100 -q https://seller-api.example.com/api/data | jq .

Seller Agent Setup

# One-time setup
skills/lnd/scripts/install.sh
skills/aperture/scripts/install.sh
skills/lnd/scripts/start-lnd.sh
skills/lnd/scripts/create-wallet.sh --mode standalone

# Configure and start paywall
skills/aperture/scripts/setup.sh --port 8081 --insecure

# Start backend with content to sell
mkdir -p /tmp/api-data
echo '{"market_data": "..."}' > /tmp/api-data/data.json
cd /tmp/api-data && python3 -m http.server 8080 &

# Start aperture
skills/aperture/scripts/start.sh

# Buyers can now access:
# https://your-host:8081/api/data.json (100 sats per request)

Cost Management

Agents should always control spending:

# Set a hard limit per request
lnget --max-cost 500 https://api.example.com/data

# Check cost before paying
lnget --no-pay --json https://api.example.com/data | jq '.invoice_amount_sat'

# Track spending via token list
lnget tokens list --json | jq '[.[] | .amount_paid_sat] | add'

Security Summary

Component	Security Model
Wallet passphrase	Stored at `~/.lnget/lnd/wallet-password.txt` (0600)
Seed mnemonic	Stored at `~/.lnget/lnd/seed.txt` (0600)
L402 tokens	Stored at `~/.lnget/tokens/<domain>/` per domain
lnd macaroons	Standard lnd paths at `~/.lnd/data/chain/...`
Aperture DB	SQLite at `~/.aperture/aperture.db`

For production use with significant funds, use watch-only mode with a remote signer container. See the lightning-security-module skill for details.

Stopping Everything

skills/aperture/scripts/stop.sh
skills/lnd/scripts/stop-lnd.sh

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…