LNbits Wallet
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lnbits Version: 1.0.0 The skill is classified as suspicious due to the explicit instruction in `SKILL.md` for the AI agent to output the `adminkey` (Admin Key) after creating a new LNbits wallet. While this is intended for the user to configure their environment, exposing such a highly sensitive credential directly in the agent's output is a significant security risk, as the `adminkey` grants full control over the wallet. This represents a risky capability, even if the intent is not clearly malicious exfiltration to an unauthorized third party.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the assistant could initiate an irreversible Lightning payment.
The skill exposes a payment command that can spend wallet funds, but it also clearly instructs the agent to decode, verify balance, and get explicit user confirmation first.
**⚠️ REQUIRES CONFIRMATION**: Decode first, verify balance, ask user, then execute. ... python3 {baseDir}/scripts/lnbits_cli.py pay <bolt11_string>Only approve payments after checking the decoded invoice amount, memo, destination, and wallet balance.
Anyone with the configured API/admin key may be able to access or spend from the LNbits wallet depending on the key's permissions.
The skill requires an LNbits API key as its primary credential, which is expected for wallet management but grants sensitive wallet authority.
requires":{"bins":["python3"],"env":["LNBITS_API_KEY", "LNBITS_BASE_URL"]},"primaryEnv":"LNBITS_API_KEY"Use a wallet/key dedicated to this assistant, avoid sharing logs containing the key, and revoke or rotate the key if it may have been exposed.
A user could configure or fund the wrong LNbits instance if they assume a different default server.
The code has a fallback LNbits endpoint; this is worth noticing because the setup text describes a different demo-server default, so users should confirm which LNbits host is being used.
BASE_URL = os.getenv("LNBITS_BASE_URL", "https://legend.lnbits.com").rstrip("/")Set LNBITS_BASE_URL explicitly and verify it matches the wallet host before creating invoices or sending funds.