Requirements
- Target platform
- OpenClaw
- Install method
- Manual import
- Extraction
- Extract archive
- Prerequisites
- OpenClaw
- Primary doc
- SKILL.md
Tencent SkillHub ยท Security & Compliance
Lightning Security Module
Set up an lnd remote signer container that holds private keys separately from the agent. Exports a credentials bundle (accounts JSON, TLS cert, admin macaroon) for watch-only litd nodes. Container-first with Docker, native fallback. Use when firewalling private key material from AI agents.
skill openclawclawhub Free
Set up an lnd remote signer container that holds private keys separately from the agent. Exports a credentials bundle (accounts JSON, TLS cert, admin macaroon) for watch-only litd nodes. Container-first with Docker, native fallback. Use when firewalling private key material from AI agents.
โฌ 0 downloads โ
0 stars Unverified but indexed
Install for OpenClaw
Quick setup
- Download the package from Yavira.
- Extract the archive and review SKILL.md first.
- Import or place the package into your OpenClaw setup.
Package facts
- Download mode
- Yavira redirect
- Package format
- ZIP package
- Source platform
- Tencent SkillHub
- What's included
- SKILL.md, templates/signer-lnd-example.toml, templates/docker-compose-signer.yml, scripts/docker-stop.sh, scripts/install.sh, scripts/start-signer.sh
Validation
- Use the Yavira download entry.
- Review SKILL.md after the package is downloaded.
- Confirm the extracted package contains the expected setup assets.
Install with your agent
Agent handoff
Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.
- Download the package from Yavira.
- Extract it into a folder your agent can access.
- Paste one of the prompts below and point your agent at the extracted folder.
New install
I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete.
Upgrade existing
I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run.
Trust & source
Release facts
- Source
- Tencent SkillHub
- Verification
- Indexed source record
- Version
- 1.0.0
Provenance
- Publisher
- Roasbeef
- Source page
- View original listing
- Canonical URL
- Open canonical page
Documentation
Lightning Security Module (Remote Signer)
Set up an lnd remote signer container that holds private keys on a separate, secured machine. The signer never routes payments or opens channels โ it only holds keys and signs when asked by a watch-only litd node.
Architecture
Agent Machine Signer Machine (secure) โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ โ litd (watch-only)โโโโgRPCโโโโบโ lnd (signer) โ โ - neutrino โ โ - holds seed โ โ - manages chans โ โ - signs commitments โ โ - routes pmts โ โ - signs on-chain txs โ โ - NO key materialโ โ - no p2p networking โ โโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโโโโโโโ The watch-only node handles all networking and channel management. The signer node holds the seed and performs cryptographic signing. Even if the agent machine is fully compromised, the attacker cannot extract private keys. See references/architecture.md for the full architecture explainer.
On the Signer Machine
# 1. Install lnd signer image skills/lightning-security-module/scripts/install.sh # 2. Start signer container skills/lightning-security-module/scripts/start-signer.sh # 3. Set up signer wallet and export credentials skills/lightning-security-module/scripts/setup-signer.sh # 4. Copy the credentials bundle to the agent machine # The setup script prints the bundle path and base64 string.
On the Agent Machine
# 5. Import credentials bundle skills/lnd/scripts/import-credentials.sh --bundle <credentials-bundle> # 6. Start litd in watch-only mode skills/lnd/scripts/start-lnd.sh --watchonly # 7. Create watch-only wallet skills/lnd/scripts/create-wallet.sh # 8. Check status skills/lnd/scripts/lncli.sh getinfo
Two-Container Local Setup
For testing both on the same machine: # Start litd + signer together skills/lnd/scripts/start-lnd.sh --watchonly # Set up signer wallet skills/lightning-security-module/scripts/setup-signer.sh --container litd-signer # Import credentials and create watch-only wallet skills/lnd/scripts/import-credentials.sh --bundle ~/.lnget/signer/credentials-bundle skills/lnd/scripts/create-wallet.sh --container litd
Installation
Default: pulls the lnd Docker image for the signer. skills/lightning-security-module/scripts/install.sh This pulls lightninglabs/lnd:v0.20.0-beta from Docker Hub. The signer only needs plain lnd (not litd) since it only holds keys and signs.
Build from Source (Fallback)
skills/lightning-security-module/scripts/install.sh --source
Native Mode
For running the signer without Docker: # Set up signer natively skills/lightning-security-module/scripts/setup-signer.sh --native # Start signer natively skills/lightning-security-module/scripts/start-signer.sh --native # Stop signer natively skills/lightning-security-module/scripts/stop-signer.sh --native
Remote Nodes
Export credentials from a remote signer: skills/lightning-security-module/scripts/export-credentials.sh \ --rpcserver signer-host:10012 \ --tlscertpath ~/signer-tls.cert \ --macaroonpath ~/signer-admin.macaroon
Credential Bundle Format
The exported bundle (~/.lnget/signer/credentials-bundle/) contains: FilePurposeaccounts.jsonAccount xpubs for watch-only wallet importtls.certSigner's TLS certificate for authenticated gRPCadmin.macaroonSigner's admin macaroon for RPC authentication The bundle is also available as a single base64-encoded tar.gz file (credentials-bundle.tar.gz.b64) for easy copy-paste transfer between machines.
Scripts
ScriptPurposeinstall.shPull lnd signer image (or build from source)docker-start.shStart signer containerdocker-stop.shStop signer containersetup-signer.shCreate signer wallet and export credentialsstart-signer.shStart signer (delegates to Docker by default)stop-signer.shStop signer (delegates to Docker by default)export-credentials.shRe-export credentials from running signer
Start
# Docker (default) skills/lightning-security-module/scripts/start-signer.sh # With network override skills/lightning-security-module/scripts/start-signer.sh --network mainnet
Stop
# Docker stop (preserve data) skills/lightning-security-module/scripts/stop-signer.sh # Docker stop + remove volumes skills/lightning-security-module/scripts/stop-signer.sh --clean
Re-export Credentials
If TLS certificates or macaroons have been regenerated: skills/lightning-security-module/scripts/export-credentials.sh
Container Config
The signer compose template is at skills/lightning-security-module/templates/docker-compose-signer.yml. Config is passed via command-line arguments.
Native Config
The native signer config template is at skills/lightning-security-module/templates/signer-lnd.conf.template. Key differences from a standard lnd node: No P2P listening (--listen=) โ signer doesn't route RPC on 0.0.0.0:10012 โ accepts connections from watch-only node REST on localhost:10013 โ local only, for wallet creation TLS extra IP 0.0.0.0 โ watch-only on a different machine can connect No autopilot, no routing fees โ signer is signing-only
Security Model
What stays on the signer: 24-word seed mnemonic All private keys (funding, revocation, HTLC) Wallet database with key material What gets exported: Account xpubs (public keys only โ cannot spend) TLS certificate (for authenticated connection) Admin macaroon (for RPC auth โ scope down for production) Threat model: Compromised agent machine cannot sign transactions or extract keys Attacker with agent access can see balances and channel state but not spend Signer machine should have minimal attack surface Production hardening: Replace admin macaroon with a signer-only macaroon (see macaroon-bakery) Restrict signer RPC to specific IP addresses via firewall Run signer on dedicated hardware or a hardened VM Use Lightning Node Connect (LNC) via lightning-mcp-server for read-only agent access
Macaroon Bakery for Signer
For production, bake a signing-only macaroon: skills/macaroon-bakery/scripts/bake.sh --role signer-only \ --container litd-signer --rpc-port 10012 Then re-export the credentials bundle with the scoped macaroon.
Container & Ports
ContainerPurposePortslitd-signerRemote signer (lnd)10012, 10013 PortServiceInterfaceDescription10012gRPC0.0.0.0Signer RPC (watch-only connects here)10013REST0.0.0.0REST for wallet creation
File Locations
PathPurpose~/.lnget/signer/wallet-password.txtSigner wallet passphrase (0600)~/.lnget/signer/seed.txtSigner seed mnemonic (0600)~/.lnget/signer/credentials-bundle/Exported credentials~/.lnget/signer/signer-lnd.confSigner config (native mode)versions.envPinned container image versions
Category context
Identity, auth, scanning, governance, audit, and operational guardrails.
Source: Tencent SkillHub
Largest current source with strong distribution and engagement signals.
Package contents
Included in package
3 Scripts1 Docs1 Config1 Files
- SKILL.md
- scripts/docker-stop.sh
- scripts/install.sh
- scripts/start-signer.sh
- templates/docker-compose-signer.yml
- templates/signer-lnd-example.toml