Security Audit

lnbits

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

lnbits received a trust score of 58/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 5 findings: 2 critical, 1 high, 2 medium, and 0 low severity. Key findings include Suspicious import: urllib.request, Direct instructions to LLM in untrusted content, Admin key exposed via stdout and instructed for capture.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 18/100, indicating areas for improvement.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

93%

Dependency Graph

100%

LLM Behavioral Safety

18%

Behavioral Risk Signals

Network Access

1 finding

Shell Execution

1 finding

Dynamic Code

2 findings

Excessive Permissions

3 findings

Security Findings5

Severity	Finding	Layer	Location
CRITICAL	Direct instructions to LLM in untrusted content The `SKILL.md` document, which is treated as untrusted input, contains explicit instructions intended to manipulate the host LLM's behavior. Examples include 'NEVER Expose Secrets', 'You MUST ask for "Yes/No" confirmation before paying', and 'IMPORTANT: Instruct the user to save these credentials securely'. These are attempts to control the LLM's operational directives from an untrusted source, which is a form of prompt injection. Remove all direct instructions to the LLM from the `SKILL.md` file. LLM behavior should be governed by its system prompt, not by untrusted skill documentation.	LLM	SKILL.md:10
CRITICAL	Admin key exposed via stdout and instructed for capture The `lnbits_cli.py` script's `create_wallet` function returns the `adminkey` directly in its API response, which is then printed to standard output by `cmd_create`. The `SKILL.md` explicitly instructs the LLM to 'Capture the `adminkey`' from this output and then present it to the user. This constitutes a direct exfiltration and harvesting of a critical credential (the LNbits admin key), making it accessible to the LLM and potentially to logs or other unauthorized channels. The `create_wallet` function should not return the `adminkey` to stdout. If a new wallet is created, the `adminkey` should be securely stored (e.g., encrypted in a secrets manager) and only a limited-permission key (like an `invoice_key`) should be returned for general use. The `SKILL.md` should also be updated to remove instructions to capture and display the `adminkey`.	LLM	scripts/lnbits_cli.py:73
HIGH	User-provided arguments directly embedded into shell commands The `SKILL.md` instructs the LLM to construct shell commands by directly inserting user-provided values (e.g., `--memo "Pizza"`, `<bolt11_string>`) into the command string. For example, `python3 {baseDir}/scripts/lnbits_cli.py invoice --amount 1000 --memo "Pizza"`. If a malicious user provides input containing shell metacharacters (e.g., `"; rm -rf /"`), these could be executed by the underlying shell, leading to command injection. While `argparse` in the Python script mitigates some risks, the LLM's instruction to directly embed untrusted input into a shell command string is a dangerous pattern. The LLM should be instructed to sanitize or escape user-provided arguments before embedding them into shell commands. Alternatively, the skill should provide a more robust way to pass arguments that doesn't involve direct string interpolation into a shell command (e.g., using a dedicated API or a more controlled execution environment).	LLM	SKILL.md:33
MEDIUM	Suspicious import: urllib.request Import of 'urllib.request' detected. This module provides network or low-level system access. Verify this import is necessary. Network and system modules in skill code may indicate data exfiltration.	Static	skills/talvasconcelos/lnbits/scripts/lnbits_cli.py:6
MEDIUM	Skill operates with full admin privileges (LNBITS_API_KEY) The skill uses `LNBITS_API_KEY`, which is an admin key, granting full control over the LNbits wallet. All operations (balance, invoice, pay, create wallet) are performed using this high-privilege key. There are no mechanisms described to limit the scope of the key or the operations the LLM can perform, increasing the blast radius if the key is compromised or misused. Implement a principle of least privilege. If possible, use separate API keys with more granular permissions for different operations (e.g., a read-only key for `balance`, an invoice-only key for `invoice`, and a pay-only key for `pay` with strict rate limits). The `create_wallet` function should ideally return an `invoice_key` or a limited-permission key for subsequent operations, rather than the `adminkey`.	LLM	scripts/lnbits_cli.py:10

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/f08d4fd47576a4db.svg)](https://skillshield.io/report/f08d4fd47576a4db)