{ "schemaVersion": "1.0", "item": { "slug": "lightning-security-module", "name": "Lightning Security Module", "source": "tencent", "type": "skill", "category": "安全合规", "sourceUrl": "https://clawhub.ai/Roasbeef/lightning-security-module", "canonicalUrl": "https://clawhub.ai/Roasbeef/lightning-security-module", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/lightning-security-module", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=lightning-security-module", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "templates/signer-lnd-example.toml", "templates/docker-compose-signer.yml", "scripts/docker-stop.sh", "scripts/install.sh", "scripts/start-signer.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-23T16:43:11.935Z", "expiresAt": "2026-04-30T16:43:11.935Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=4claw-imageboard", "contentDisposition": "attachment; filename=\"4claw-imageboard-1.0.1.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/lightning-security-module" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/lightning-security-module", "agentPageUrl": "https://openagent3.xyz/skills/lightning-security-module/agent", "manifestUrl": "https://openagent3.xyz/skills/lightning-security-module/agent.json", "briefUrl": "https://openagent3.xyz/skills/lightning-security-module/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Lightning Security Module (Remote Signer)", "body": "Set up an lnd remote signer container that holds private keys on a separate,\nsecured machine. The signer never routes payments or opens channels — it only\nholds keys and signs when asked by a watch-only litd node." }, { "title": "Architecture", "body": "Agent Machine Signer Machine (secure)\n┌─────────────────┐ ┌─────────────────────┐\n│ litd (watch-only)│◄──gRPC───►│ lnd (signer) │\n│ - neutrino │ │ - holds seed │\n│ - manages chans │ │ - signs commitments │\n│ - routes pmts │ │ - signs on-chain txs │\n│ - NO key material│ │ - no p2p networking │\n└─────────────────┘ └─────────────────────┘\n\nThe watch-only node handles all networking and channel management. The signer\nnode holds the seed and performs cryptographic signing. Even if the agent machine\nis fully compromised, the attacker cannot extract private keys.\n\nSee references/architecture.md for the full\narchitecture explainer." }, { "title": "On the Signer Machine", "body": "# 1. Install lnd signer image\nskills/lightning-security-module/scripts/install.sh\n\n# 2. Start signer container\nskills/lightning-security-module/scripts/start-signer.sh\n\n# 3. Set up signer wallet and export credentials\nskills/lightning-security-module/scripts/setup-signer.sh\n\n# 4. Copy the credentials bundle to the agent machine\n# The setup script prints the bundle path and base64 string." }, { "title": "On the Agent Machine", "body": "# 5. Import credentials bundle\nskills/lnd/scripts/import-credentials.sh --bundle \n\n# 6. Start litd in watch-only mode\nskills/lnd/scripts/start-lnd.sh --watchonly\n\n# 7. Create watch-only wallet\nskills/lnd/scripts/create-wallet.sh\n\n# 8. Check status\nskills/lnd/scripts/lncli.sh getinfo" }, { "title": "Two-Container Local Setup", "body": "For testing both on the same machine:\n\n# Start litd + signer together\nskills/lnd/scripts/start-lnd.sh --watchonly\n\n# Set up signer wallet\nskills/lightning-security-module/scripts/setup-signer.sh --container litd-signer\n\n# Import credentials and create watch-only wallet\nskills/lnd/scripts/import-credentials.sh --bundle ~/.lnget/signer/credentials-bundle\nskills/lnd/scripts/create-wallet.sh --container litd" }, { "title": "Installation", "body": "Default: pulls the lnd Docker image for the signer.\n\nskills/lightning-security-module/scripts/install.sh\n\nThis pulls lightninglabs/lnd:v0.20.0-beta from Docker Hub. The signer only\nneeds plain lnd (not litd) since it only holds keys and signs." }, { "title": "Build from Source (Fallback)", "body": "skills/lightning-security-module/scripts/install.sh --source" }, { "title": "Native Mode", "body": "For running the signer without Docker:\n\n# Set up signer natively\nskills/lightning-security-module/scripts/setup-signer.sh --native\n\n# Start signer natively\nskills/lightning-security-module/scripts/start-signer.sh --native\n\n# Stop signer natively\nskills/lightning-security-module/scripts/stop-signer.sh --native" }, { "title": "Remote Nodes", "body": "Export credentials from a remote signer:\n\nskills/lightning-security-module/scripts/export-credentials.sh \\\n --rpcserver signer-host:10012 \\\n --tlscertpath ~/signer-tls.cert \\\n --macaroonpath ~/signer-admin.macaroon" }, { "title": "Credential Bundle Format", "body": "The exported bundle (~/.lnget/signer/credentials-bundle/) contains:\n\nFilePurposeaccounts.jsonAccount xpubs for watch-only wallet importtls.certSigner's TLS certificate for authenticated gRPCadmin.macaroonSigner's admin macaroon for RPC authentication\n\nThe bundle is also available as a single base64-encoded tar.gz file\n(credentials-bundle.tar.gz.b64) for easy copy-paste transfer between machines." }, { "title": "Scripts", "body": "ScriptPurposeinstall.shPull lnd signer image (or build from source)docker-start.shStart signer containerdocker-stop.shStop signer containersetup-signer.shCreate signer wallet and export credentialsstart-signer.shStart signer (delegates to Docker by default)stop-signer.shStop signer (delegates to Docker by default)export-credentials.shRe-export credentials from running signer" }, { "title": "Start", "body": "# Docker (default)\nskills/lightning-security-module/scripts/start-signer.sh\n\n# With network override\nskills/lightning-security-module/scripts/start-signer.sh --network mainnet" }, { "title": "Stop", "body": "# Docker stop (preserve data)\nskills/lightning-security-module/scripts/stop-signer.sh\n\n# Docker stop + remove volumes\nskills/lightning-security-module/scripts/stop-signer.sh --clean" }, { "title": "Re-export Credentials", "body": "If TLS certificates or macaroons have been regenerated:\n\nskills/lightning-security-module/scripts/export-credentials.sh" }, { "title": "Container Config", "body": "The signer compose template is at\nskills/lightning-security-module/templates/docker-compose-signer.yml. Config\nis passed via command-line arguments." }, { "title": "Native Config", "body": "The native signer config template is at\nskills/lightning-security-module/templates/signer-lnd.conf.template. Key\ndifferences from a standard lnd node:\n\nNo P2P listening (--listen=) — signer doesn't route\nRPC on 0.0.0.0:10012 — accepts connections from watch-only node\nREST on localhost:10013 — local only, for wallet creation\nTLS extra IP 0.0.0.0 — watch-only on a different machine can connect\nNo autopilot, no routing fees — signer is signing-only" }, { "title": "Security Model", "body": "What stays on the signer:\n\n24-word seed mnemonic\nAll private keys (funding, revocation, HTLC)\nWallet database with key material\n\nWhat gets exported:\n\nAccount xpubs (public keys only — cannot spend)\nTLS certificate (for authenticated connection)\nAdmin macaroon (for RPC auth — scope down for production)\n\nThreat model:\n\nCompromised agent machine cannot sign transactions or extract keys\nAttacker with agent access can see balances and channel state but not spend\nSigner machine should have minimal attack surface\n\nProduction hardening:\n\nReplace admin macaroon with a signer-only macaroon (see macaroon-bakery)\nRestrict signer RPC to specific IP addresses via firewall\nRun signer on dedicated hardware or a hardened VM\nUse Lightning Node Connect (LNC) via lightning-mcp-server for read-only agent access" }, { "title": "Macaroon Bakery for Signer", "body": "For production, bake a signing-only macaroon:\n\nskills/macaroon-bakery/scripts/bake.sh --role signer-only \\\n --container litd-signer --rpc-port 10012\n\nThen re-export the credentials bundle with the scoped macaroon." }, { "title": "Container & Ports", "body": "ContainerPurposePortslitd-signerRemote signer (lnd)10012, 10013\n\nPortServiceInterfaceDescription10012gRPC0.0.0.0Signer RPC (watch-only connects here)10013REST0.0.0.0REST for wallet creation" }, { "title": "File Locations", "body": "PathPurpose~/.lnget/signer/wallet-password.txtSigner wallet passphrase (0600)~/.lnget/signer/seed.txtSigner seed mnemonic (0600)~/.lnget/signer/credentials-bundle/Exported credentials~/.lnget/signer/signer-lnd.confSigner config (native mode)versions.envPinned container image versions" } ], "body": "Lightning Security Module (Remote Signer)\n\nSet up an lnd remote signer container that holds private keys on a separate, secured machine. The signer never routes payments or opens channels — it only holds keys and signs when asked by a watch-only litd node.\n\nArchitecture\nAgent Machine Signer Machine (secure)\n┌─────────────────┐ ┌─────────────────────┐\n│ litd (watch-only)│◄──gRPC───►│ lnd (signer) │\n│ - neutrino │ │ - holds seed │\n│ - manages chans │ │ - signs commitments │\n│ - routes pmts │ │ - signs on-chain txs │\n│ - NO key material│ │ - no p2p networking │\n└─────────────────┘ └─────────────────────┘\n\n\nThe watch-only node handles all networking and channel management. The signer node holds the seed and performs cryptographic signing. Even if the agent machine is fully compromised, the attacker cannot extract private keys.\n\nSee references/architecture.md for the full architecture explainer.\n\nQuick Start (Container — Recommended)\nOn the Signer Machine\n# 1. Install lnd signer image\nskills/lightning-security-module/scripts/install.sh\n\n# 2. Start signer container\nskills/lightning-security-module/scripts/start-signer.sh\n\n# 3. Set up signer wallet and export credentials\nskills/lightning-security-module/scripts/setup-signer.sh\n\n# 4. Copy the credentials bundle to the agent machine\n# The setup script prints the bundle path and base64 string.\n\nOn the Agent Machine\n# 5. Import credentials bundle\nskills/lnd/scripts/import-credentials.sh --bundle \n\n# 6. Start litd in watch-only mode\nskills/lnd/scripts/start-lnd.sh --watchonly\n\n# 7. Create watch-only wallet\nskills/lnd/scripts/create-wallet.sh\n\n# 8. Check status\nskills/lnd/scripts/lncli.sh getinfo\n\nTwo-Container Local Setup\n\nFor testing both on the same machine:\n\n# Start litd + signer together\nskills/lnd/scripts/start-lnd.sh --watchonly\n\n# Set up signer wallet\nskills/lightning-security-module/scripts/setup-signer.sh --container litd-signer\n\n# Import credentials and create watch-only wallet\nskills/lnd/scripts/import-credentials.sh --bundle ~/.lnget/signer/credentials-bundle\nskills/lnd/scripts/create-wallet.sh --container litd\n\nInstallation\n\nDefault: pulls the lnd Docker image for the signer.\n\nskills/lightning-security-module/scripts/install.sh\n\n\nThis pulls lightninglabs/lnd:v0.20.0-beta from Docker Hub. The signer only needs plain lnd (not litd) since it only holds keys and signs.\n\nBuild from Source (Fallback)\nskills/lightning-security-module/scripts/install.sh --source\n\nNative Mode\n\nFor running the signer without Docker:\n\n# Set up signer natively\nskills/lightning-security-module/scripts/setup-signer.sh --native\n\n# Start signer natively\nskills/lightning-security-module/scripts/start-signer.sh --native\n\n# Stop signer natively\nskills/lightning-security-module/scripts/stop-signer.sh --native\n\nRemote Nodes\n\nExport credentials from a remote signer:\n\nskills/lightning-security-module/scripts/export-credentials.sh \\\n --rpcserver signer-host:10012 \\\n --tlscertpath ~/signer-tls.cert \\\n --macaroonpath ~/signer-admin.macaroon\n\nCredential Bundle Format\n\nThe exported bundle (~/.lnget/signer/credentials-bundle/) contains:\n\nFile\tPurpose\naccounts.json\tAccount xpubs for watch-only wallet import\ntls.cert\tSigner's TLS certificate for authenticated gRPC\nadmin.macaroon\tSigner's admin macaroon for RPC authentication\n\nThe bundle is also available as a single base64-encoded tar.gz file (credentials-bundle.tar.gz.b64) for easy copy-paste transfer between machines.\n\nScripts\nScript\tPurpose\ninstall.sh\tPull lnd signer image (or build from source)\ndocker-start.sh\tStart signer container\ndocker-stop.sh\tStop signer container\nsetup-signer.sh\tCreate signer wallet and export credentials\nstart-signer.sh\tStart signer (delegates to Docker by default)\nstop-signer.sh\tStop signer (delegates to Docker by default)\nexport-credentials.sh\tRe-export credentials from running signer\nManaging the Signer\nStart\n# Docker (default)\nskills/lightning-security-module/scripts/start-signer.sh\n\n# With network override\nskills/lightning-security-module/scripts/start-signer.sh --network mainnet\n\nStop\n# Docker stop (preserve data)\nskills/lightning-security-module/scripts/stop-signer.sh\n\n# Docker stop + remove volumes\nskills/lightning-security-module/scripts/stop-signer.sh --clean\n\nRe-export Credentials\n\nIf TLS certificates or macaroons have been regenerated:\n\nskills/lightning-security-module/scripts/export-credentials.sh\n\nConfiguration\nContainer Config\n\nThe signer compose template is at skills/lightning-security-module/templates/docker-compose-signer.yml. Config is passed via command-line arguments.\n\nNative Config\n\nThe native signer config template is at skills/lightning-security-module/templates/signer-lnd.conf.template. Key differences from a standard lnd node:\n\nNo P2P listening (--listen=) — signer doesn't route\nRPC on 0.0.0.0:10012 — accepts connections from watch-only node\nREST on localhost:10013 — local only, for wallet creation\nTLS extra IP 0.0.0.0 — watch-only on a different machine can connect\nNo autopilot, no routing fees — signer is signing-only\nSecurity Model\n\nWhat stays on the signer:\n\n24-word seed mnemonic\nAll private keys (funding, revocation, HTLC)\nWallet database with key material\n\nWhat gets exported:\n\nAccount xpubs (public keys only — cannot spend)\nTLS certificate (for authenticated connection)\nAdmin macaroon (for RPC auth — scope down for production)\n\nThreat model:\n\nCompromised agent machine cannot sign transactions or extract keys\nAttacker with agent access can see balances and channel state but not spend\nSigner machine should have minimal attack surface\n\nProduction hardening:\n\nReplace admin macaroon with a signer-only macaroon (see macaroon-bakery)\nRestrict signer RPC to specific IP addresses via firewall\nRun signer on dedicated hardware or a hardened VM\nUse Lightning Node Connect (LNC) via lightning-mcp-server for read-only agent access\nMacaroon Bakery for Signer\n\nFor production, bake a signing-only macaroon:\n\nskills/macaroon-bakery/scripts/bake.sh --role signer-only \\\n --container litd-signer --rpc-port 10012\n\n\nThen re-export the credentials bundle with the scoped macaroon.\n\nContainer & Ports\nContainer\tPurpose\tPorts\nlitd-signer\tRemote signer (lnd)\t10012, 10013\nPort\tService\tInterface\tDescription\n10012\tgRPC\t0.0.0.0\tSigner RPC (watch-only connects here)\n10013\tREST\t0.0.0.0\tREST for wallet creation\nFile Locations\nPath\tPurpose\n~/.lnget/signer/wallet-password.txt\tSigner wallet passphrase (0600)\n~/.lnget/signer/seed.txt\tSigner seed mnemonic (0600)\n~/.lnget/signer/credentials-bundle/\tExported credentials\n~/.lnget/signer/signer-lnd.conf\tSigner config (native mode)\nversions.env\tPinned container image versions" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/Roasbeef/lightning-security-module", "publisherUrl": "https://clawhub.ai/Roasbeef/lightning-security-module", "owner": "Roasbeef", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/lightning-security-module", "downloadUrl": "https://openagent3.xyz/downloads/lightning-security-module", "agentUrl": "https://openagent3.xyz/skills/lightning-security-module/agent", "manifestUrl": "https://openagent3.xyz/skills/lightning-security-module/agent.json", "briefUrl": "https://openagent3.xyz/skills/lightning-security-module/agent.md" } }