# Send lnd macaroon bakery to your agent Hand the extracted package to your coding agent with a concrete install brief instead of figuring it out manually. ## Fast path - Download the package from Yavira. - Extract it into a folder your agent can access. - Paste one of the prompts below and point your agent at the extracted folder. ## Suggested prompts ### New install ```text I downloaded a skill package from Yavira. Read SKILL.md from the extracted folder and install it by following the included instructions. Tell me what you changed and call out any manual steps you could not complete. ``` ### Upgrade existing ```text I downloaded an updated skill package from Yavira. Read SKILL.md from the extracted folder, compare it with my current installation, and upgrade it while preserving any custom configuration unless the package docs explicitly say otherwise. Summarize what changed and any follow-up checks I should run. ``` ## Machine-readable fields ```json { "schemaVersion": "1.0", "item": { "slug": "lnd-macaroon-bakery", "name": "lnd macaroon bakery", "source": "tencent", "type": "skill", "category": "AI 智能", "sourceUrl": "https://clawhub.ai/Roasbeef/lnd-macaroon-bakery", "canonicalUrl": "https://clawhub.ai/Roasbeef/lnd-macaroon-bakery", "targetPlatform": "OpenClaw" }, "install": { "downloadUrl": "/downloads/lnd-macaroon-bakery", "sourceDownloadUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=lnd-macaroon-bakery", "sourcePlatform": "tencent", "targetPlatform": "OpenClaw", "packageFormat": "ZIP package", "primaryDoc": "SKILL.md", "includedAssets": [ "SKILL.md", "scripts/bake.sh" ], "downloadMode": "redirect", "sourceHealth": { "source": "tencent", "status": "healthy", "reason": "direct_download_ok", "recommendedAction": "download", "checkedAt": "2026-04-30T16:55:25.780Z", "expiresAt": "2026-05-07T16:55:25.780Z", "httpStatus": 200, "finalUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentType": "application/zip", "probeMethod": "head", "details": { "probeUrl": "https://wry-manatee-359.convex.site/api/v1/download?slug=network", "contentDisposition": "attachment; filename=\"network-1.0.0.zip\"", "redirectLocation": null, "bodySnippet": null }, "scope": "source", "summary": "Source download looks usable.", "detail": "Yavira can redirect you to the upstream package for this source.", "primaryActionLabel": "Download for OpenClaw", "primaryActionHref": "/downloads/lnd-macaroon-bakery" }, "validation": { "installChecklist": [ "Use the Yavira download entry.", "Review SKILL.md after the package is downloaded.", "Confirm the extracted package contains the expected setup assets." ], "postInstallChecks": [ "Confirm the extracted package includes the expected docs or setup files.", "Validate the skill or prompts are available in your target agent workspace.", "Capture any manual follow-up steps the agent could not complete." ] } }, "links": { "detailUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery", "downloadUrl": "https://openagent3.xyz/downloads/lnd-macaroon-bakery", "agentUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent", "manifestUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent.json", "briefUrl": "https://openagent3.xyz/skills/lnd-macaroon-bakery/agent.md" } } ``` ## Documentation ### Macaroon Bakery Bake custom lnd macaroons so every agent gets only the permissions it needs. Never hand out admin.macaroon in production β€” bake a scoped one instead. ### Quick Start # Bake a pay-only macaroon skills/macaroon-bakery/scripts/bake.sh --role pay-only # Bake an invoice-only macaroon skills/macaroon-bakery/scripts/bake.sh --role invoice-only # Bake a read-only macaroon skills/macaroon-bakery/scripts/bake.sh --role read-only # Inspect any macaroon skills/macaroon-bakery/scripts/bake.sh --inspect ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon # List all available lnd permissions skills/macaroon-bakery/scripts/bake.sh --list-permissions ### Docker The litd container is auto-detected. You can also specify --container: # Auto-detect litd container (default) skills/macaroon-bakery/scripts/bake.sh --role pay-only # Explicit container skills/macaroon-bakery/scripts/bake.sh --role pay-only --container litd # Inspect a macaroon inside a container skills/macaroon-bakery/scripts/bake.sh --inspect /root/.lnd/data/chain/bitcoin/testnet/admin.macaroon --container litd ### Remote Nodes To bake macaroons on a remote lnd node, provide the connection credentials: # Bake a pay-only macaroon on a remote node skills/macaroon-bakery/scripts/bake.sh --role pay-only \\ --rpcserver remote-host:10009 \\ --tlscertpath ~/remote-tls.cert \\ --macaroonpath ~/remote-admin.macaroon \\ --save-to ~/remote-pay-only.macaroon You need lncli installed locally and copies of the node's TLS cert and a macaroon with macaroon:generate permission (typically admin.macaroon). ### Preset Roles RoleWhat the agent can doCannot dopay-onlyPay invoices, decode invoices, get node infoCreate invoices, open channels, see balancesinvoice-onlyCreate invoices, lookup invoices, get node infoPay, open channels, see wallet balanceread-onlyGet info, balances, list channels/peers/paymentsPay, create invoices, open/close channelschannel-adminAll of read-only + open/close channels, connect peersPay invoices, create invoicessigner-onlySign transactions, derive keys (for remote signer)Everything else ### Baking Custom Macaroons For permissions not covered by presets, bake a custom macaroon: # Custom: agent can only pay and check wallet balance skills/macaroon-bakery/scripts/bake.sh --custom \\ uri:/lnrpc.Lightning/SendPaymentSync \\ uri:/lnrpc.Lightning/DecodePayReq \\ uri:/lnrpc.Lightning/WalletBalance \\ uri:/lnrpc.Lightning/GetInfo # Custom with explicit output path skills/macaroon-bakery/scripts/bake.sh --custom \\ uri:/lnrpc.Lightning/AddInvoice \\ uri:/lnrpc.Lightning/GetInfo \\ --save-to ~/my-agent.macaroon ### Discovering Permissions # List all available URI permissions skills/macaroon-bakery/scripts/bake.sh --list-permissions # Filter for specific service skills/macaroon-bakery/scripts/bake.sh --list-permissions | grep -i invoice # Filter for routing-related permissions skills/macaroon-bakery/scripts/bake.sh --list-permissions | grep -i router ### Inspecting Macaroons # See what permissions a macaroon has skills/macaroon-bakery/scripts/bake.sh --inspect # Inspect the admin macaroon to see full permissions skills/macaroon-bakery/scripts/bake.sh --inspect ~/.lnd/data/chain/bitcoin/mainnet/admin.macaroon ### Signer Macaroon Scoping When using the lightning-security-module skill, the credentials bundle includes admin.macaroon by default. For production, bake a signing-only macaroon on the signer machine: # On the signer container skills/macaroon-bakery/scripts/bake.sh --role signer-only \\ --container litd-signer --rpc-port 10012 # Or on a native signer skills/macaroon-bakery/scripts/bake.sh --role signer-only \\ --rpc-port 10012 --lnddir ~/.lnd-signer # Then re-export the credentials bundle with the scoped macaroon ### Macaroon Rotation Rotate macaroons regularly to limit the window if one is compromised: # 1. Bake a new macaroon with the same role skills/macaroon-bakery/scripts/bake.sh --role pay-only --save-to ~/pay-only-v2.macaroon # 2. Update your agent config to use the new macaroon # 3. Delete the old macaroon's root key (invalidates it) skills/lnd/scripts/lncli.sh bakemacaroon --root_key_id 0 # Note: use lncli listmacaroonids and deletemacaroonid for fine-grained control ### Best Practices One macaroon per agent role. Don't share macaroons between agents with different responsibilities. Never use admin.macaroon in production. It's the master key. Inspect before deploying. Always verify what a baked macaroon can do. Rotate on a schedule. Monthly for production, immediately if compromised. Scope signer macaroons too. The remote signer's credentials bundle should use signer-only, not admin. Store with 0600 permissions. Macaroons are bearer tokens β€” treat like passwords. ### Common Permission URIs PermissionDescriptionuri:/lnrpc.Lightning/GetInfoNode info (version, pubkey, sync status)uri:/lnrpc.Lightning/WalletBalanceOn-chain wallet balanceuri:/lnrpc.Lightning/ChannelBalanceLightning channel balanceuri:/lnrpc.Lightning/ListChannelsList open channelsuri:/lnrpc.Lightning/ListPeersList connected peersuri:/lnrpc.Lightning/SendPaymentSyncPay a Lightning invoiceuri:/lnrpc.Lightning/DecodePayReqDecode a BOLT11 invoiceuri:/lnrpc.Lightning/AddInvoiceCreate a Lightning invoiceuri:/lnrpc.Lightning/LookupInvoiceLook up an invoice by hashuri:/lnrpc.Lightning/ListInvoicesList all invoicesuri:/lnrpc.Lightning/ListPaymentsList all paymentsuri:/lnrpc.Lightning/ConnectPeerConnect to a peeruri:/lnrpc.Lightning/OpenChannelSyncOpen a channeluri:/lnrpc.Lightning/CloseChannelClose a channeluri:/signrpc.Signer/SignOutputRawSign a transaction outputuri:/signrpc.Signer/ComputeInputScriptCompute input script for signinguri:/signrpc.Signer/MuSig2SignMuSig2 signinguri:/walletrpc.WalletKit/DeriveKeyDerive a keyuri:/walletrpc.WalletKit/DeriveNextKeyDerive next key in sequence ## Trust - Source: tencent - Verification: Indexed source record - Publisher: Roasbeef - Version: 1.0.0 ## Source health - Status: healthy - Source download looks usable. - Yavira can redirect you to the upstream package for this source. - Health scope: source - Reason: direct_download_ok - Checked at: 2026-04-30T16:55:25.780Z - Expires at: 2026-05-07T16:55:25.780Z - Recommended action: Download for OpenClaw ## Links - [Detail page](https://openagent3.xyz/skills/lnd-macaroon-bakery) - [Send to Agent page](https://openagent3.xyz/skills/lnd-macaroon-bakery/agent) - [JSON manifest](https://openagent3.xyz/skills/lnd-macaroon-bakery/agent.json) - [Markdown brief](https://openagent3.xyz/skills/lnd-macaroon-bakery/agent.md) - [Download page](https://openagent3.xyz/downloads/lnd-macaroon-bakery)