The Agent Skills Directory

Unverifiable Dependencies (HIGH): The skill relies on an external subagent called lightning-auditor. This is not a standard tool in the LND ecosystem (like lncli), and its source code and security posture cannot be verified, creating a risk of executing untrusted code on financial infrastructure.
Command Execution & Privilege Escalation (HIGH): The skill executes powerful shell commands via lncli to manage channels and execute payments. It also explicitly instructs the agent to modify systemd service files and environment variables, operations that typically require root or administrative privileges and can lead to full system compromise.
Credential Exposure (HIGH): The process involves searching for and 'fixing' lnd.conf and LND_* environment variables. These files and variables are standard locations for sensitive credentials, including administrative macaroons and TLS certificates, which could be exposed to the agent context or accidentally logged during the 'Audit' and 'Execute' phases.
Indirect Prompt Injection (HIGH):
Ingestion points: The skill is triggered by and processes external data from files containing bolt11 invoices, channel handlers, and terminal output from listchannels.
Boundary markers: No delimiters or isolation protocols are used when processing untrusted invoice memos or external channel data.
Capability inventory: The agent has the capability to pay invoices (payinvoice), modify node configurations, and close/open channels.
Sanitization: There is no evidence of sanitization for strings like invoice memos, which could contain malicious instructions to divert funds or alter the audit logic.
Persistence Mechanisms (MEDIUM): The instructions to modify systemd and lnd.conf allow the skill to establish persistent changes to how the node and its associated services start and operate on the host system.

lightning