{ "schemaVersion": "1.0", "item": { "slug": "lnd-macaroon-bakery", "name": "lnd macaroon bakery", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/Roasbeef/lnd-macaroon-bakery", "canonicalUrl": "https://clawhub.ai/Roasbeef/lnd-macaroon-bakery", "targetPlatform": "OpenClaw" }, "install": { "downloadMode": "redirect", "downloadUrl": "/downloads/lnd-macaroon-bakery", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=lnd-macaroon-bakery", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "installMethod": "Manual import", "extraction": "Extract archive", "prerequisites": [ "OpenClaw" ], "packageFormat": "ZIP package", "includedAssets": [ "SKILL.md", "scripts/bake.sh" ], "primaryDoc": "SKILL.md", "quickSetup": [ "Download the package from Yavira.", "Extract the archive and review SKILL.md first.", "Import or place the package into your OpenClaw setup." ], "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/lnd-macaroon-bakery" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] }, "downloadPageUrl": "https://openagent3.xyz/downloads/lnd-macaroon-bakery", "agentPageUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent", "manifestUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent.json", "briefUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent.md" }, "agentAssist": { "summary": "Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually.", "steps": [ "Download the package from Yavira.", "Extract it into a folder your agent can access.", "Paste one of the prompts below and point your agent at the extracted folder." ], "prompts": [ { "label": "New install", "body": "I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete." }, { "label": "Upgrade existing", "body": "I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run." } ] }, "documentation": { "source": "clawhub", "primaryDoc": "SKILL.md", "sections": [ { "title": "Macaroon Bakery", "body": "Bake custom lnd macaroons so every agent gets only the permissions it needs.\nNever hand out admin.macaroon in production — bake a scoped one instead." }, { "title": "Quick Start", "body": "# Bake a pay-only macaroon\nskills/macaroon-bakery/scripts/bake.sh --role pay-only\n\n# Bake an invoice-only macaroon\nskills/macaroon-bakery/scripts/bake.sh --role invoice-only\n\n# Bake a read-only macaroon\nskills/macaroon-bakery/scripts/bake.sh --role read-only\n\n# Inspect any macaroon\nskills/macaroon-bakery/scripts/bake.sh --inspect ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon\n\n# List all available lnd permissions\nskills/macaroon-bakery/scripts/bake.sh --list-permissions" }, { "title": "Docker", "body": "The litd container is auto-detected. You can also specify --container:\n\n# Auto-detect litd container (default)\nskills/macaroon-bakery/scripts/bake.sh --role pay-only\n\n# Explicit container\nskills/macaroon-bakery/scripts/bake.sh --role pay-only --container litd\n\n# Inspect a macaroon inside a container\nskills/macaroon-bakery/scripts/bake.sh --inspect /root/.lnd/data/chain/bitcoin/testnet/admin.macaroon --container litd" }, { "title": "Remote Nodes", "body": "To bake macaroons on a remote lnd node, provide the connection credentials:\n\n# Bake a pay-only macaroon on a remote node\nskills/macaroon-bakery/scripts/bake.sh --role pay-only \\\n --rpcserver remote-host:10009 \\\n --tlscertpath ~/remote-tls.cert \\\n --macaroonpath ~/remote-admin.macaroon \\\n --save-to ~/remote-pay-only.macaroon\n\nYou need lncli installed locally and copies of the node's TLS cert and a macaroon\nwith macaroon:generate permission (typically admin.macaroon)." }, { "title": "Preset Roles", "body": "RoleWhat the agent can doCannot dopay-onlyPay invoices, decode invoices, get node infoCreate invoices, open channels, see balancesinvoice-onlyCreate invoices, lookup invoices, get node infoPay, open channels, see wallet balanceread-onlyGet info, balances, list channels/peers/paymentsPay, create invoices, open/close channelschannel-adminAll of read-only + open/close channels, connect peersPay invoices, create invoicessigner-onlySign transactions, derive keys (for remote signer)Everything else" }, { "title": "Baking Custom Macaroons", "body": "For permissions not covered by presets, bake a custom macaroon:\n\n# Custom: agent can only pay and check wallet balance\nskills/macaroon-bakery/scripts/bake.sh --custom \\\n uri:/lnrpc.Lightning/SendPaymentSync \\\n uri:/lnrpc.Lightning/DecodePayReq \\\n uri:/lnrpc.Lightning/WalletBalance \\\n uri:/lnrpc.Lightning/GetInfo\n\n# Custom with explicit output path\nskills/macaroon-bakery/scripts/bake.sh --custom \\\n uri:/lnrpc.Lightning/AddInvoice \\\n uri:/lnrpc.Lightning/GetInfo \\\n --save-to ~/my-agent.macaroon" }, { "title": "Discovering Permissions", "body": "# List all available URI permissions\nskills/macaroon-bakery/scripts/bake.sh --list-permissions\n\n# Filter for specific service\nskills/macaroon-bakery/scripts/bake.sh --list-permissions | grep -i invoice\n\n# Filter for routing-related permissions\nskills/macaroon-bakery/scripts/bake.sh --list-permissions | grep -i router" }, { "title": "Inspecting Macaroons", "body": "# See what permissions a macaroon has\nskills/macaroon-bakery/scripts/bake.sh --inspect \n\n# Inspect the admin macaroon to see full permissions\nskills/macaroon-bakery/scripts/bake.sh --inspect ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon" }, { "title": "Signer Macaroon Scoping", "body": "When using the lightning-security-module skill, the credentials bundle includes\nadmin.macaroon by default. For production, bake a signing-only macaroon on the\nsigner machine:\n\n# On the signer container\nskills/macaroon-bakery/scripts/bake.sh --role signer-only \\\n --container litd-signer --rpc-port 10012\n\n# Or on a native signer\nskills/macaroon-bakery/scripts/bake.sh --role signer-only \\\n --rpc-port 10012 --lnddir ~/.lnd-signer\n\n# Then re-export the credentials bundle with the scoped macaroon" }, { "title": "Macaroon Rotation", "body": "Rotate macaroons regularly to limit the window if one is compromised:\n\n# 1. Bake a new macaroon with the same role\nskills/macaroon-bakery/scripts/bake.sh --role pay-only --save-to ~/pay-only-v2.macaroon\n\n# 2. Update your agent config to use the new macaroon\n\n# 3. Delete the old macaroon's root key (invalidates it)\nskills/lnd/scripts/lncli.sh bakemacaroon --root_key_id 0\n# Note: use lncli listmacaroonids and deletemacaroonid for fine-grained control" }, { "title": "Best Practices", "body": "One macaroon per agent role. Don't share macaroons between agents with\ndifferent responsibilities.\nNever use admin.macaroon in production. It's the master key.\nInspect before deploying. Always verify what a baked macaroon can do.\nRotate on a schedule. Monthly for production, immediately if compromised.\nScope signer macaroons too. The remote signer's credentials bundle should\nuse signer-only, not admin.\nStore with 0600 permissions. Macaroons are bearer tokens — treat like passwords." }, { "title": "Common Permission URIs", "body": "PermissionDescriptionuri:/lnrpc.Lightning/GetInfoNode info (version, pubkey, sync status)uri:/lnrpc.Lightning/WalletBalanceOn-chain wallet balanceuri:/lnrpc.Lightning/ChannelBalanceLightning channel balanceuri:/lnrpc.Lightning/ListChannelsList open channelsuri:/lnrpc.Lightning/ListPeersList connected peersuri:/lnrpc.Lightning/SendPaymentSyncPay a Lightning invoiceuri:/lnrpc.Lightning/DecodePayReqDecode a BOLT11 invoiceuri:/lnrpc.Lightning/AddInvoiceCreate a Lightning invoiceuri:/lnrpc.Lightning/LookupInvoiceLook up an invoice by hashuri:/lnrpc.Lightning/ListInvoicesList all invoicesuri:/lnrpc.Lightning/ListPaymentsList all paymentsuri:/lnrpc.Lightning/ConnectPeerConnect to a peeruri:/lnrpc.Lightning/OpenChannelSyncOpen a channeluri:/lnrpc.Lightning/CloseChannelClose a channeluri:/signrpc.Signer/SignOutputRawSign a transaction outputuri:/signrpc.Signer/ComputeInputScriptCompute input script for signinguri:/signrpc.Signer/MuSig2SignMuSig2 signinguri:/walletrpc.WalletKit/DeriveKeyDerive a keyuri:/walletrpc.WalletKit/DeriveNextKeyDerive next key in sequence" } ], "body": "Macaroon Bakery\n\nBake custom lnd macaroons so every agent gets only the permissions it needs. Never hand out admin.macaroon in production — bake a scoped one instead.\n\nQuick Start\n# Bake a pay-only macaroon\nskills/macaroon-bakery/scripts/bake.sh --role pay-only\n\n# Bake an invoice-only macaroon\nskills/macaroon-bakery/scripts/bake.sh --role invoice-only\n\n# Bake a read-only macaroon\nskills/macaroon-bakery/scripts/bake.sh --role read-only\n\n# Inspect any macaroon\nskills/macaroon-bakery/scripts/bake.sh --inspect ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon\n\n# List all available lnd permissions\nskills/macaroon-bakery/scripts/bake.sh --list-permissions\n\nDocker\n\nThe litd container is auto-detected. You can also specify --container:\n\n# Auto-detect litd container (default)\nskills/macaroon-bakery/scripts/bake.sh --role pay-only\n\n# Explicit container\nskills/macaroon-bakery/scripts/bake.sh --role pay-only --container litd\n\n# Inspect a macaroon inside a container\nskills/macaroon-bakery/scripts/bake.sh --inspect /root/.lnd/data/chain/bitcoin/testnet/admin.macaroon --container litd\n\nRemote Nodes\n\nTo bake macaroons on a remote lnd node, provide the connection credentials:\n\n# Bake a pay-only macaroon on a remote node\nskills/macaroon-bakery/scripts/bake.sh --role pay-only \\\n --rpcserver remote-host:10009 \\\n --tlscertpath ~/remote-tls.cert \\\n --macaroonpath ~/remote-admin.macaroon \\\n --save-to ~/remote-pay-only.macaroon\n\n\nYou need lncli installed locally and copies of the node's TLS cert and a macaroon with macaroon:generate permission (typically admin.macaroon).\n\nPreset Roles\nRole\tWhat the agent can do\tCannot do\npay-only\tPay invoices, decode invoices, get node info\tCreate invoices, open channels, see balances\ninvoice-only\tCreate invoices, lookup invoices, get node info\tPay, open channels, see wallet balance\nread-only\tGet info, balances, list channels/peers/payments\tPay, create invoices, open/close channels\nchannel-admin\tAll of read-only + open/close channels, connect peers\tPay invoices, create invoices\nsigner-only\tSign transactions, derive keys (for remote signer)\tEverything else\nBaking Custom Macaroons\n\nFor permissions not covered by presets, bake a custom macaroon:\n\n# Custom: agent can only pay and check wallet balance\nskills/macaroon-bakery/scripts/bake.sh --custom \\\n uri:/lnrpc.Lightning/SendPaymentSync \\\n uri:/lnrpc.Lightning/DecodePayReq \\\n uri:/lnrpc.Lightning/WalletBalance \\\n uri:/lnrpc.Lightning/GetInfo\n\n# Custom with explicit output path\nskills/macaroon-bakery/scripts/bake.sh --custom \\\n uri:/lnrpc.Lightning/AddInvoice \\\n uri:/lnrpc.Lightning/GetInfo \\\n --save-to ~/my-agent.macaroon\n\nDiscovering Permissions\n# List all available URI permissions\nskills/macaroon-bakery/scripts/bake.sh --list-permissions\n\n# Filter for specific service\nskills/macaroon-bakery/scripts/bake.sh --list-permissions | grep -i invoice\n\n# Filter for routing-related permissions\nskills/macaroon-bakery/scripts/bake.sh --list-permissions | grep -i router\n\nInspecting Macaroons\n# See what permissions a macaroon has\nskills/macaroon-bakery/scripts/bake.sh --inspect \n\n# Inspect the admin macaroon to see full permissions\nskills/macaroon-bakery/scripts/bake.sh --inspect ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon\n\nSigner Macaroon Scoping\n\nWhen using the lightning-security-module skill, the credentials bundle includes admin.macaroon by default. For production, bake a signing-only macaroon on the signer machine:\n\n# On the signer container\nskills/macaroon-bakery/scripts/bake.sh --role signer-only \\\n --container litd-signer --rpc-port 10012\n\n# Or on a native signer\nskills/macaroon-bakery/scripts/bake.sh --role signer-only \\\n --rpc-port 10012 --lnddir ~/.lnd-signer\n\n# Then re-export the credentials bundle with the scoped macaroon\n\nMacaroon Rotation\n\nRotate macaroons regularly to limit the window if one is compromised:\n\n# 1. Bake a new macaroon with the same role\nskills/macaroon-bakery/scripts/bake.sh --role pay-only --save-to ~/pay-only-v2.macaroon\n\n# 2. Update your agent config to use the new macaroon\n\n# 3. Delete the old macaroon's root key (invalidates it)\nskills/lnd/scripts/lncli.sh bakemacaroon --root_key_id 0\n# Note: use lncli listmacaroonids and deletemacaroonid for fine-grained control\n\nBest Practices\nOne macaroon per agent role. Don't share macaroons between agents with different responsibilities.\nNever use admin.macaroon in production. It's the master key.\nInspect before deploying. Always verify what a baked macaroon can do.\nRotate on a schedule. Monthly for production, immediately if compromised.\nScope signer macaroons too. The remote signer's credentials bundle should use signer-only, not admin.\nStore with 0600 permissions. Macaroons are bearer tokens — treat like passwords.\nCommon Permission URIs\nPermission\tDescription\nuri:/lnrpc.Lightning/GetInfo\tNode info (version, pubkey, sync status)\nuri:/lnrpc.Lightning/WalletBalance\tOn-chain wallet balance\nuri:/lnrpc.Lightning/ChannelBalance\tLightning channel balance\nuri:/lnrpc.Lightning/ListChannels\tList open channels\nuri:/lnrpc.Lightning/ListPeers\tList connected peers\nuri:/lnrpc.Lightning/SendPaymentSync\tPay a Lightning invoice\nuri:/lnrpc.Lightning/DecodePayReq\tDecode a BOLT11 invoice\nuri:/lnrpc.Lightning/AddInvoice\tCreate a Lightning invoice\nuri:/lnrpc.Lightning/LookupInvoice\tLook up an invoice by hash\nuri:/lnrpc.Lightning/ListInvoices\tList all invoices\nuri:/lnrpc.Lightning/ListPayments\tList all payments\nuri:/lnrpc.Lightning/ConnectPeer\tConnect to a peer\nuri:/lnrpc.Lightning/OpenChannelSync\tOpen a channel\nuri:/lnrpc.Lightning/CloseChannel\tClose a channel\nuri:/signrpc.Signer/SignOutputRaw\tSign a transaction output\nuri:/signrpc.Signer/ComputeInputScript\tCompute input script for signing\nuri:/signrpc.Signer/MuSig2Sign\tMuSig2 signing\nuri:/walletrpc.WalletKit/DeriveKey\tDerive a key\nuri:/walletrpc.WalletKit/DeriveNextKey\tDerive next key in sequence" }, "trust": { "sourceLabel": "tencent", "provenanceUrl": "https://clawhub.ai/Roasbeef/lnd-macaroon-bakery", "publisherUrl": "https://clawhub.ai/Roasbeef/lnd-macaroon-bakery", "owner": "Roasbeef", "version": "1.0.0", "license": null, "verificationStatus": "Indexed source record" }, "links": { "detailUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery", "downloadUrl": "https://openagent3.xyz/downloads/lnd-macaroon-bakery", "agentUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent", "manifestUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent.json", "briefUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent.md" } }