ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

LNbits Wallet

v1.0.0

Manage LNbits Lightning Wallet (Balance, Pay, Invoice)

0· 1.7k·1 current·1 all-time
by@talvasconcelos
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The SKILL.md, metadata, and the included script all describe LNbits wallet operations and require python3 plus LNBITS_API_KEY and LNBITS_BASE_URL, which is coherent with the claimed purpose. However, the registry summary at the top of the submission incorrectly lists no required env vars or binaries, creating a metadata mismatch that should be resolved.
!
Instruction Scope
Runtime instructions explicitly tell the assistant to create wallets, capture adminkey/base_url, check balance, decode invoices, and send payments. The SKILL.md includes good safety guidance (never expose secrets, require explicit user confirmation before pay), but it also instructs the assistant to instruct the user to store the adminkey in the agent's config or .env — which elevates scope by creating persistent, high-privilege credentials available to the agent.
Install Mechanism
There is no install spec (instruction-only with a bundled Python script). That is low-risk from an installer perspective, but the bundled script will be executed with python3 at runtime — review the script's source for unexpected behavior before allowing execution.
!
Credentials
The skill requires two environment variables (LNBITS_API_KEY and LNBITS_BASE_URL), which are appropriate for an LNbits integration. The concern is that the expected key is the adminkey (full admin key) per the instructions; an adminkey grants broad control of a wallet and is higher privilege than a user-specific key. Requiring/storing an adminkey in the agent environment is a disproportionate privilege unless explicitly justified.
!
Persistence & Privilege
The skill does not set disableModelInvocation, so the model can invoke it autonomously. Combined with a potentially powerful adminkey stored in the environment, this creates risk that the model could initiate payments or other privileged actions without additional user consent. The SKILL.md requires asking for confirmation before paying, but that is an instruction and not an enforcement mechanism.
What to consider before installing
Before installing: (1) Confirm the registry metadata is corrected to reflect the required python3 binary and the two env vars declared in SKILL.md. (2) Review the bundled script (scripts/lnbits_cli.py) source to verify it only calls the LNbits API and does not exfiltrate keys or perform unexpected network activity. (3) Prefer using a least-privilege key (a payment/readonly key) instead of an adminkey; if adminkey is required, be aware it allows full wallet control. (4) Prevent autonomous payments: set disableModelInvocation=true or ensure the skill is user-invocable only, and enforce interactive confirmation outside the agent if possible. (5) If you must store credentials, use secure secret storage rather than a plain .env file and audit who/what can read them. If you cannot review the script or prevent autonomous invocation, treat the skill as high-risk and do not install it with real funds or admin keys.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Clawdis
Binspython3
EnvLNBITS_API_KEY, LNBITS_BASE_URL
Primary envLNBITS_API_KEY
latestvk97ffa6w8j6ybh9ztrdpz8zcb9803dxq
1.7kdownloads
0stars
1versions
Updated 6h ago
v1.0.0
MIT-0
@talvasconcelos
latest
Download

LNbits Wallet Manager

Enable the assistant to safely and effectively manage an LNbits Lightning Network wallet.

🛑 CRITICAL SECURITY PROTOCOLS 🛑

  1. NEVER Expose Secrets: Do NOT display Admin Keys, User IDs, or Wallet IDs.
  2. Explicit Confirmation: You MUST ask for "Yes/No" confirmation before paying.
    • Format: "I am about to send [Amount] sats to [Memo/Dest]. Proceed? (y/n)"
  3. Check Balance First: Always call balance before pay to prevent errors.

Usage

0. Setup / Create Wallet

If the user does not have an LNbits wallet, you can create one for them on the demo server.

python3 {baseDir}/scripts/lnbits_cli.py create --name "My Wallet"

Action:

  1. Run the command.
  2. Capture the adminkey (Admin Key) and base_url (defaults to https://demo.lnbits.com).
  3. IMPORTANT: Instruct the user to save these credentials securely:

    "I've created a new wallet! Please add these to your Moltbot configuration or .env file: export LNBITS_BASE_URL=https://demo.lnbits.com export LNBITS_API_KEY=<adminkey>"

1. Check Balance

Get the current wallet balance in Satoshis.

python3 {baseDir}/scripts/lnbits_cli.py balance

2. Create Invoice (Receive)

Generate a Bolt11 invoice to receive funds.

  • amount: Amount in Satoshis (Integer).
  • memo: Optional description.
python3 {baseDir}/scripts/lnbits_cli.py invoice --amount 1000 --memo "Pizza"

3. Pay Invoice (Send)

⚠️ REQUIRES CONFIRMATION: Decode first, verify balance, ask user, then execute.

# Step 1: Decode to verify amount/memo
python3 {baseDir}/scripts/lnbits_cli.py decode <bolt11_string>

# Step 2: Pay (Only after user CONFIRMS)
python3 {baseDir}/scripts/lnbits_cli.py pay <bolt11_string>

Error Handling

If the CLI returns a JSON error (e.g., {"error": "Insufficient funds"}), summarize it clearly for the user. Do not show raw stack traces.

Comments

Loading comments...