ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

lnget: like wget but for L402 on the web

v1.0.0

Install and use lnget, a Lightning-native HTTP client with automatic L402 payment support. Use when downloading files behind Lightning paywalls, managing L402 tokens, checking Lightning backend status, or making HTTP requests that may require micropayments.

0· 997·0 current·0 all-time
by@roasbeef
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, SKILL.md, and the install script all align: the skill installs and documents lnget (github.com/lightninglabs/lnget) and shows how to fetch L402-protected resources, manage tokens, and configure Lightning backends. There are no unrelated binaries or unexplained dependencies.
!
Instruction Scope
The SKILL.md instructs running the included install.sh and many lnget commands that interact with local Lightning backends (lnd, LNC, neutrino), read/write config and token files in the user's home (~/.lnget), and perform payments. It also references LNGET_ environment overrides. While this is expected for a Lightning client, these instructions can read local wallet artifacts (macaroon, tls cert) and initiate payments — actions beyond a simple HTTP client and potentially risky if executed without user oversight.
Install Mechanism
install.sh simply runs 'go install github.com/lightninglabs/lnget/cmd/lnget@latest' after checking for Go. This uses a well-known source (GitHub) and does not download random archives or call unknown servers. Risk from installation is low but standard caveats about fetching code from upstream apply.
Credentials
The skill declares no required env vars, but the SKILL.md documents LNGET_ environment overrides and references local LND macaroon/tls paths and pairing phrases. Access to these credentials is proportionate to lnget's purpose (it must talk to a Lightning backend and sign/pay invoices), but they are sensitive — the SKILL.md does not declare them as required, so users should be aware the tool will look at local wallet files if configured.
!
Persistence & Privilege
The skill does not set always:true and does not modify other skills. However, lnget's default behaviors include auto-pay (auto_pay: true in examples) and persistent token storage under ~/.lnget/tokens; combined with the platform's normal autonomous invocation capability, this means an agent that invokes the skill could cause real micropayments if not constrained. This is expected functionally but carries financial risk and deserves explicit user controls (max-cost, --no-pay) before allowing autonomous runs.
Assessment
This skill appears to do what it claims (install and run lnget), but it will interact with your local Lightning node and can make micropayments. Before installing or letting an agent invoke it autonomously: 1) Inspect the upstream repo (github.com/lightninglabs/lnget) and the exact version you will install. 2) Run the install script manually in a controlled environment so you can verify behavior. 3) Review and tighten lnget configuration: set sensible LNGET_L402_MAX_COST_SATS / --max-cost, set auto_pay=false or use --no-pay for testing, and consider using ephemeral pairing rather than storing long-lived macaroons. 4) Protect your ~/.lnd macaroon and tls cert files; do not expose them to untrusted agents. 5) If you will allow autonomous agent use, restrict its budget/permissions or disable auto-pay to avoid unexpected spending.

Like a lobster shell, security has layers — review code before you run it.

latestvk976zxa4d57pfy2vnyhjjscq8180y605

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments