功能描述

Install and run Lightning Terminal (litd) which bundles lnd, loop, pool, tapd, and faraday in a single Docker container. Defaults to neutrino backend with SQLite storage on testnet. Supports watch-only mode with remote signer, standalone mode, and regtest development. Use when setting up a Lightning node for payments, channel management, liquidity management (loop), channel marketplace (pool), taproot assets (tapd), or enabling agent L402 commerce.

使用说明 (SKILL.md)

Lightning Terminal (litd) — Lightning Network Node

Name: Lnd
Author: roasbeef

Install and operate a Lightning Terminal (litd) node for agent-driven payments. litd bundles lnd with loop, pool, tapd, and faraday — giving agents access to liquidity management, channel marketplace, and taproot assets in a single container.

Default: Docker container, neutrino backend, SQLite storage, testnet. No full Bitcoin node required. Use --network mainnet for real coins.

Default mode: watch-only with remote signer. Private keys stay on a separate signer container — the agent never touches key material. For quick testing, use --mode standalone (keys on disk, less secure).

Quick Start (Container — Recommended)

Watch-Only with Remote Signer (Production)

# 1. Install litd image
skills/lnd/scripts/install.sh

# 2. Start litd + signer containers
skills/lnd/scripts/start-lnd.sh --watchonly

# 3. Set up signer wallet (first run only)
skills/lightning-security-module/scripts/setup-signer.sh --container litd-signer

# 4. Import credentials and create watch-only wallet
skills/lnd/scripts/import-credentials.sh --bundle ~/.lnget/signer/credentials-bundle
skills/lnd/scripts/create-wallet.sh

# 5. Check status
skills/lnd/scripts/lncli.sh getinfo

Standalone (Testing Only)

# 1. Install litd image
skills/lnd/scripts/install.sh

# 2. Start litd container
skills/lnd/scripts/start-lnd.sh

# 3. Create standalone wallet (generates seed — keys on disk)
skills/lnd/scripts/create-wallet.sh --mode standalone

# 4. Check status
skills/lnd/scripts/lncli.sh getinfo

Warning: Standalone mode stores the seed mnemonic and wallet passphrase on disk. Do not use for mainnet funds you cannot afford to lose.

Regtest Development

# Start litd + bitcoind for local development
skills/lnd/scripts/start-lnd.sh --regtest

# Create wallet and mine some blocks
skills/lnd/scripts/create-wallet.sh --container litd --mode standalone
docker exec litd-bitcoind bitcoin-cli -regtest -generate 101

Container Modes

Mode	Command	Containers	Use Case
Standalone	`start-lnd.sh`	litd	Testing, development
Watch-only	`start-lnd.sh --watchonly`	litd + litd-signer	Production
Regtest	`start-lnd.sh --regtest`	litd + litd-bitcoind	Local dev

Profiles

Profiles customize litd behavior without editing compose files:

# List available profiles
skills/lnd/scripts/docker-start.sh --list-profiles

# Start with a profile
skills/lnd/scripts/start-lnd.sh --profile taproot
skills/lnd/scripts/start-lnd.sh --profile debug

Profile	Purpose
`default`	Standard operation (info logging)
`debug`	Trace logging, verbose subsystems
`taproot`	Simple taproot channels enabled
`wumbo`	Large channels up to 10 BTC
`regtest`	Regtest network preset

Network Selection

Default is testnet. Override with --network:

# Testnet (default — no real coins)
skills/lnd/scripts/start-lnd.sh

# Mainnet (real coins — use with remote signer)
skills/lnd/scripts/start-lnd.sh --network mainnet --watchonly

# Signet (testing network)
skills/lnd/scripts/start-lnd.sh --network signet

litd Sub-Daemons

litd integrates multiple daemons. Access them via the --cli flag:

# lnd CLI (default)
skills/lnd/scripts/lncli.sh getinfo

# Loop — liquidity management (submarine swaps)
skills/lnd/scripts/lncli.sh --cli loop quote out 100000

# Pool — channel marketplace
skills/lnd/scripts/lncli.sh --cli pool accounts list

# Taproot Assets (tapd)
skills/lnd/scripts/lncli.sh --cli tapcli assets list

# Lightning Terminal (litd)
skills/lnd/scripts/lncli.sh --cli litcli getinfo

# Faraday — channel analytics
skills/lnd/scripts/lncli.sh --cli frcli revenue

Installation

Default: pulls the litd Docker image.

skills/lnd/scripts/install.sh

This pulls lightninglabs/lightning-terminal:v0.16.0-alpha from Docker Hub and verifies the image. The litd image includes lncli, litcli, loop, pool, tapcli, and frcli.

Build from Source (Fallback)

skills/lnd/scripts/install.sh --source

Requires Go toolchain. Builds lnd and lncli with all build tags.

Native Mode

For running without Docker, use --native:

# Start natively
skills/lnd/scripts/start-lnd.sh --native --mode standalone

# Stop natively
skills/lnd/scripts/stop-lnd.sh --native

Native mode uses the config template at skills/lnd/templates/lnd.conf.template and runs lnd as a background process.

Remote Nodes

Connect to a remote lnd node with connection credentials:

skills/lnd/scripts/lncli.sh \
    --rpcserver remote-host:10009 \
    --tlscertpath ~/remote-tls.cert \
    --macaroonpath ~/remote-admin.macaroon \
    getinfo

MCP / Lightning Node Connect

For read-only access without direct gRPC connectivity, use the lightning-mcp-server skill with Lightning Node Connect (LNC). LNC uses encrypted WebSocket tunnels — no TLS certs, macaroons, or open ports needed. Just a pairing phrase from Lightning Terminal.

skills/lightning-mcp-server/scripts/install.sh
skills/lightning-mcp-server/scripts/configure.sh
skills/lightning-mcp-server/scripts/setup-claude-config.sh

Wallet Setup

Watch-Only Wallet (Default)

Imports account xpubs from the remote signer — no seed or private keys on this machine.

# Import credentials bundle from signer
skills/lnd/scripts/import-credentials.sh --bundle \x3Ccredentials-bundle>

# Create watch-only wallet (auto-detects litd container)
skills/lnd/scripts/create-wallet.sh

Standalone Wallet

Generates a seed locally. Use only for testing.

skills/lnd/scripts/create-wallet.sh --mode standalone

Handles the full wallet creation flow via REST API:

Generates a secure random wallet passphrase
Calls /v1/genseed to generate a 24-word seed mnemonic
Calls /v1/initwallet with the passphrase and seed
Stores credentials securely:
- ~/.lnget/lnd/wallet-password.txt (mode 0600)
- ~/.lnget/lnd/seed.txt (mode 0600)

Unlock Wallet

skills/lnd/scripts/unlock-wallet.sh

Auto-unlock is enabled by default in the container via --wallet-unlock-password-file. Manual unlock is only needed if auto-unlock is disabled.

Recover Wallet from Seed (Standalone Only)

skills/lnd/scripts/create-wallet.sh --mode standalone --recover --seed-file ~/.lnget/lnd/seed.txt

Starting and Stopping

Start

# Docker standalone (default)
skills/lnd/scripts/start-lnd.sh

# Docker watch-only (production)
skills/lnd/scripts/start-lnd.sh --watchonly

# Docker with profile
skills/lnd/scripts/start-lnd.sh --profile taproot

# Mainnet
skills/lnd/scripts/start-lnd.sh --network mainnet

Stop

# Stop (preserve data)
skills/lnd/scripts/stop-lnd.sh

# Stop and clean (remove volumes)
skills/lnd/scripts/stop-lnd.sh --clean

# Stop all litd containers
skills/lnd/scripts/stop-lnd.sh --all

Node Operations

All commands auto-detect the litd container:

Node Info

skills/lnd/scripts/lncli.sh getinfo
skills/lnd/scripts/lncli.sh walletbalance
skills/lnd/scripts/lncli.sh channelbalance

Funding

skills/lnd/scripts/lncli.sh newaddress p2tr
skills/lnd/scripts/lncli.sh walletbalance

Channel Management

skills/lnd/scripts/lncli.sh connect \x3Cpubkey>@\x3Chost>:9735
skills/lnd/scripts/lncli.sh openchannel --node_key=\x3Cpubkey> --local_amt=1000000
skills/lnd/scripts/lncli.sh listchannels
skills/lnd/scripts/lncli.sh closechannel --funding_txid=\x3Ctxid> --output_index=\x3Cn>

Payments

skills/lnd/scripts/lncli.sh addinvoice --amt=1000 --memo="test payment"
skills/lnd/scripts/lncli.sh decodepayreq \x3Cbolt11_invoice>
skills/lnd/scripts/lncli.sh sendpayment --pay_req=\x3Cbolt11_invoice>
skills/lnd/scripts/lncli.sh listpayments

Macaroon Bakery

Use the macaroon-bakery skill for least-privilege agent credentials:

skills/macaroon-bakery/scripts/bake.sh --role pay-only
skills/macaroon-bakery/scripts/bake.sh --role invoice-only
skills/macaroon-bakery/scripts/bake.sh --inspect \x3Cpath-to-macaroon>

Configuration

Container Config

The Docker compose templates pass configuration via command-line arguments. For advanced customization, mount a custom litd.conf:

litd template: skills/lnd/templates/litd.conf.template
lnd template (native): skills/lnd/templates/lnd.conf.template

Note: litd requires lnd. prefix for lnd flags (e.g., lnd.bitcoin.active). Standalone lnd does not use the prefix.

Key Defaults

Backend: neutrino (BIP 157/158 light client)
Database: SQLite
Network: testnet (override with --network mainnet)
Auto-unlock: enabled via password file

Container Naming & Ports

Container	Purpose	Ports
`litd`	Main Lightning Terminal	8443, 10009, 9735, 8080
`litd-signer`	Remote signer (lnd)	10012, 10013
`litd-bitcoind`	Bitcoin Core (regtest only)	18443, 28332, 28333

Port Reference

Port	Service	Description
8443	litd UI	Lightning Terminal web UI
9735	Lightning	Peer-to-peer Lightning Network
10009	gRPC	lncli and programmatic access
8080	REST	REST API (wallet, etc.)
10012	Signer gRPC	Remote signer RPC
10013	Signer REST	Signer REST API

File Locations

Path	Purpose
`~/.lnget/lnd/wallet-password.txt`	Wallet unlock passphrase (0600)
`~/.lnget/lnd/seed.txt`	24-word mnemonic backup (0600, standalone only)
`~/.lnget/lnd/signer-credentials/`	Imported signer credentials (watch-only)
`versions.env`	Pinned container image versions
`skills/lnd/templates/`	Docker compose and config templates
`skills/lnd/profiles/`	Profile .env files

Version Pinning

Container image versions are pinned in versions.env at the repo root:

LITD_VERSION=v0.16.0-alpha
LND_VERSION=v0.20.0-beta

Override at runtime:

LITD_VERSION=v0.17.0-alpha skills/lnd/scripts/start-lnd.sh

Integration with lnget

Once litd is running with a funded wallet and open channels:

lnget config init
lnget ln status
lnget --max-cost 1000 https://api.example.com/paid-data

Security Considerations

See references/security.md for detailed guidance.

Default model (watch-only with remote signer):

No seed or private keys on the agent machine
Signing delegated to signer container via gRPC
Set up with the lightning-security-module skill

Standalone model (testing only):

Wallet passphrase and seed stored on disk (0600)
Suitable for testnet and quick testing

Macaroon security:

Never give agents the admin macaroon in production
Bake scoped macaroons with the macaroon-bakery skill

Troubleshooting

"wallet not found"

Run skills/lnd/scripts/create-wallet.sh to create the wallet.

"wallet locked"

Run skills/lnd/scripts/unlock-wallet.sh. Auto-unlock is enabled by default.

"chain backend is still syncing"

Neutrino needs time to sync headers:

skills/lnd/scripts/lncli.sh getinfo | jq '{synced_to_chain, block_height}'

Container not starting

docker logs litd
docker logs litd-signer

"remote signer not reachable"

docker ps | grep litd-signer
docker logs litd-signer

安全使用建议

This skill appears to do what it says (install and run Lightning Terminal), but several things do not add up and require caution: - Metadata vs reality: The registry entry lists no required binaries or config paths, yet the scripts assume Docker/docker-compose (for default mode) or Go/git (for source mode). Expect to need Docker and/or Go; update your install checklist accordingly. - Sensitive credentials: The scripts import and store TLS certs, macaroons (the example uses admin.macaroon), and can write seed/passphrase files to ~/.lnget/lnd (plain text, mode 0600). Admin macaroons allow full control of lnd — do NOT use an admin macaroon on an agent host in production. Prefer signer-only or pay-only macaroons as documented. - Image execution risk: The default install pulls lightninglabs/lightning-terminal from Docker Hub and runs it. Running third-party container images executes remote code — review the image, verify tags, and prefer running in an isolated VM or sandbox if you are concerned. - Defaults favor convenience over security: Standalone mode writes seed and passphrase to disk and enables auto-unlock by default; only use standalone in test/regtest. The skill documents better practices, but scripts and examples still make it easy to run insecurely. - What to check before installing: • Ensure Docker is installed and you understand container execution risks. • Inspect the Docker image tag and, if possible, pull and scan the image locally before running (or build from source in a controlled environment). • Replace admin.macaroon with a least-privilege macaroon (signer-only or pay-only) before importing credentials into the agent. • Avoid standalone mode for mainnet funds; consider running the signer on separate hardware/VM and keep keys off the agent machine. • Run this in an isolated VM/container if you are testing, and audit files under ~/.lnget/lnd after use. If the publisher updates the registry metadata to declare required binaries (docker, docker-compose, git, go), and the scripts default to importing least-privilege macaroons or explicitly require signer-only macaroons, my concerns would decrease. If you want, I can list the exact script locations and lines that copy macaroons/seed/password files so you can review or patch them before running.

功能分析

Type: OpenClaw Skill Name: lnd Version: 1.0.1 The skill is designed for a legitimate purpose (managing a Lightning Terminal node) and includes extensive security documentation. However, the `scripts/import-credentials.sh` file contains a path traversal vulnerability. When importing a base64-encoded credentials bundle, the script uses `base64 -d | tar -xzf - -C "$CREDS_DIR"`. If an attacker provides a malicious base64-encoded tarball containing paths like `../../`, it could lead to arbitrary file writes outside the intended `~/.lnget/lnd/signer-credentials` directory. This vulnerability could be exploited via prompt injection against the agent, instructing it to import a crafted bundle.

能力评估

⚠ Purpose & Capability

The skill claims to install/run Lightning Terminal which legitimately requires Docker (or a Go toolchain for source builds), docker-compose, openssl, and optionally git/Go. However the registry metadata declares no required binaries, env vars, or config paths — a clear metadata mismatch that hides real host-level requirements.

⚠ Instruction Scope

SKILL.md and the scripts direct the agent/user to pull Docker images, run containers, clone/build upstream repositories, auto-detect and exec into Docker containers, write wallet passphrases and seed mnemonics to disk (~/.lnget/lnd), and copy macaroons/certs into containers. Those actions are within the skill's stated purpose but involve handling and storing highly sensitive credentials and performing broad host operations (docker exec/cp, nohup, background lnd processes). The instructions also accept base64 bundles which will be decoded and extracted locally — this can write arbitrary files from external input.

ℹ Install Mechanism

There is no separate install spec, but the provided scripts pull images from Docker Hub (lightninglabs/lightning-terminal) and clone from GitHub for source builds. Those are standard upstream sources (Docker Hub, github.com) — not high-risk URLs — but running third-party images executes remote code on your host and should be done only after review and in a confined environment.

⚠ Credentials

The skill declares no required credentials, but scripts expect and store TLS certs and macaroons (including admin.macaroon by default) and will copy them into containers. Admin macaroons grant full control of lnd; importing/copying them into the agent host/container is a high-privilege action. The skill does provide documentation recommending least-privilege macaroons, but the default code and examples rely on admin.macaroon and write seed/passphrase files in plaintext (0600) — which is risky if not carefully managed.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills. It writes files into the user's home (~/.lnget/lnd) and may run containers and background processes, which is expected for this functionality but grants the skill persistent artifacts on disk. Autonomous invocation is allowed by default (normal), so consider agent autonomy when granting access.

版本历史

v1.0.1

- Removed configuration template files: `litd-regtest.toml`, `litd-watchonly.toml`, `litd.toml`, and `lnd.toml` from the templates directory. - No changes to user-facing functionality or documentation. - Skill version update for maintenance and cleanup.

v1.0.0

- Initial release of the lnd skill for running Lightning Terminal (litd) and bundled services in a Docker container. - Supports watch-only mode with a remote signer for production, standalone mode for testing, and regtest for development. - Defaults to testnet, neutrino backend, and SQLite storage; mainnet and signet supported via flags. - Provides profile-based configuration and native/non-Docker operation. - Includes scripts for streamlined wallet setup (watch-only or standalone), wallet recovery, and seamless access to litd sub-daemons (lnd, loop, pool, tapd, faraday). - Clear container management, wallet operations, and integration instructions for Lightning Node Connect (LNC) and agent payments.

元数据

Slug lnd

版本 1.0.1

许可证 —

累计安装 0

当前安装数 0

历史版本数 2

常见问题

Lnd 是什么？

Install and run Lightning Terminal (litd) which bundles lnd, loop, pool, tapd, and faraday in a single Docker container. Defaults to neutrino backend with SQLite storage on testnet. Supports watch-only mode with remote signer, standalone mode, and regtest development. Use when setting up a Lightning node for payments, channel management, liquidity management (loop), channel marketplace (pool), taproot assets (tapd), or enabling agent L402 commerce. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 1133 次。

如何安装 Lnd？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install lnd」即可一键安装，无需额外配置。

Lnd 是免费的吗？

是的，Lnd 完全免费（开源免费），可自由下载、安装和使用。

Lnd 支持哪些平台？

Lnd 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Lnd？

由 Roasbeef（@roasbeef）开发并维护，当前版本 v1.0.1。

Lnd