LNbits Wallet
PassAudited by ClawScan on May 10, 2026.
Overview
This wallet skill appears to match its stated purpose, but it can spend Lightning funds and handle wallet admin keys, so users should verify confirmations and endpoint settings.
Install only if you are comfortable giving the assistant access to an LNbits wallet. Use a limited or dedicated wallet when possible, set LNBITS_BASE_URL explicitly, keep the API/admin key private, and require a clear yes/no confirmation before any payment.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the assistant could initiate an irreversible Lightning payment.
The skill exposes a payment command that can spend wallet funds, but it also clearly instructs the agent to decode, verify balance, and get explicit user confirmation first.
**⚠️ REQUIRES CONFIRMATION**: Decode first, verify balance, ask user, then execute. ... python3 {baseDir}/scripts/lnbits_cli.py pay <bolt11_string>Only approve payments after checking the decoded invoice amount, memo, destination, and wallet balance.
Anyone with the configured API/admin key may be able to access or spend from the LNbits wallet depending on the key's permissions.
The skill requires an LNbits API key as its primary credential, which is expected for wallet management but grants sensitive wallet authority.
requires":{"bins":["python3"],"env":["LNBITS_API_KEY", "LNBITS_BASE_URL"]},"primaryEnv":"LNBITS_API_KEY"Use a wallet/key dedicated to this assistant, avoid sharing logs containing the key, and revoke or rotate the key if it may have been exposed.
A user could configure or fund the wrong LNbits instance if they assume a different default server.
The code has a fallback LNbits endpoint; this is worth noticing because the setup text describes a different demo-server default, so users should confirm which LNbits host is being used.
BASE_URL = os.getenv("LNBITS_BASE_URL", "https://legend.lnbits.com").rstrip("/")Set LNBITS_BASE_URL explicitly and verify it matches the wallet host before creating invoices or sending funds.