ClawHub

Cocod

A Cashu ecash wallet CLI for Bitcoin and Lightning payments. Use when managing Cashu tokens, sending/receiving payments via Lightning (bolt11) or ecash, hand...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 1.8k · 0 current installs · 0 all-time installs
by@egge21m
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Cashu ecash wallet CLI) matches the instructions: all runtime steps are cocod CLI commands for initializing, viewing balance/history, sending/receiving tokens and handling HTTP 402 X-Cashu flows. There are no unrelated environment variables or external services requested.
Instruction Scope
SKILL.md confines agent actions to running cocod commands and handling X-Cashu HTTP 402 flows. It explicitly marks spend actions and instructs the agent to ask for user permission before spending. It calls out ~/.cocod as sensitive and warns not to leak its contents — no instructions ask the agent to read unrelated files or exfiltrate data.
Install Mechanism
This is an instruction-only skill (no install spec). The README suggests installing the cocod CLI via `bun install -g cocod`. Using bun/global installs is a reasonable way to get a CLI, but it pulls code from a package registry; the skill does not embed or verify a package URL or checksum. This is expected for a CLI-based skill but users should install from a trusted source and confirm the version.
Credentials
The skill declares no required environment variables or credentials, which matches its instruction-only nature. It does require access to the user's wallet files (e.g., ~/.cocod), which are sensitive; the SKILL.md appropriately flags them as sensitive. No other unrelated secrets are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. Model invocation is allowed (platform default); because the skill can perform spend actions, users should ensure the agent follows the documented permission checks before autonomous spending.
Assessment
This skill appears internally consistent for controlling a cocod CLI wallet. Before installing/using it: (1) Install the cocod CLI from a trusted source and verify the package/version (the skill pins cocod version 0.0.13); (2) Be cautious with `bun install -g` (global installs modify your system PATH) — prefer verified release channels or checksums; (3) Ensure the agent asks for explicit confirmation before any spend action (the SKILL.md requires this); (4) Protect and back up your ~/.cocod wallet directory and never share its contents unless you intentionally export keys; (5) If you want stronger guarantees, obtain the official cocod project homepage/repo and verify the package author and release artifacts before use.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.0.13
Download zip
latestvk974zmytyfkrwf8z4dn1jsjxds81fsg0

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Cocod - Cashu Wallet CLI

Cocod is a Cashu wallet for managing ecash tokens and making Bitcoin/Lightning payments. It uses the Cashu protocol for privacy-preserving ecash transactions.

If a web/API request returns HTTP 402 Payment Required with an X-Cashu header, use this skill to parse and settle the request with cocod.

Agent Safety Policy (Required)

When acting as an AGENT with this skill:

  • Always ask for explicit user permission before running any command/flow that can spend wallet funds, unless the user has already clearly instructed you to execute that spend action.
  • Prefer preview/inspection commands before execution whenever available. For example, run cocod x-cashu parse <request> to inspect costs and requirements before cocod x-cashu handle <request>.
  • Treat ~/.cocod as sensitive. Never log, print, or expose its contents (including config, mnemonic material, wallet state, sockets, and pid files) unless the user explicitly requests a specific safe subset.

What is Cashu?

Cashu is a Chaumian ecash protocol that lets you hold and transfer Bitcoin-backed tokens privately. It enables unlinkable transactions using blind signatures.

Installation

# Install cocod CLI
bun install -g cocod

Version Compatibility

This skill is version-pinned to an exact cocod CLI release.

  • skill_version must match the npm package version.
  • requires_cocod_version is pinned to that exact same version.

Check your installed CLI version:

cocod --version

If the version does not match the pinned values in this file, update cocod before using this skill.

Quick Start

# Initialize your wallet (generates mnemonic automatically)
cocod init

# Or with a custom mint
cocod init --mint-url https://mint.example.com

# Check balance
cocod balance

Commands

Core Wallet

# Check daemon and wallet status
cocod status

# Initialize wallet with optional mnemonic
cocod init [mnemonic] [--passphrase <passphrase>] [--mint-url <url>]

# Unlock encrypted wallet (only required when initialised with passphrase)
cocod unlock <passphrase>

# Get wallet balance
cocod balance

# Test daemon connection
cocod ping

Receiving Payments

# Receive Cashu token
cocod receive cashu <token>

# Create Lightning invoice to receive
cocod receive bolt11 <amount> [--mint-url <url>]

Sending Payments

AGENT rule: commands in this section spend wallet funds. Ask for permission first unless the user already explicitly requested the spend action.

# Create Cashu token to send to someone
cocod send cashu <amount> [--mint-url <url>]

# Pay a Lightning invoice
cocod send bolt11 <invoice> [--mint-url <url>]

HTTP 402 Web Payments (NUT-24)

Use these commands when a server responds with HTTP 402 and an X-Cashu payment request.

AGENT rule: cocod x-cashu handle <request> can spend funds. Prefer cocod x-cashu parse <request> first to preview amount/requirements, then ask permission before handling unless already instructed.

# Parse an encoded X-Cashu request from a 402 response header
cocod x-cashu parse <request>

# Settle the request and get an X-Cashu payment header value
cocod x-cashu handle <request>

Typical flow:

  1. Read X-Cashu from the 402 response.
  2. Run cocod x-cashu parse <request> to inspect amount and mint requirements.
  3. Run cocod x-cashu handle <request> to generate payment token header value.
  4. Retry the original web request with returned X-Cashu: cashuB... header.

Mints

# Add a mint URL
cocod mints add <url>

# List configured mints
cocod mints list

# Get mint information
cocod mints info <url>

Lightning Address (NPC)

Lightning Addresses are email-style identifiers (like name@npubx.cash) that let others pay you over Lightning. If you have not purchased a username, NPC provides a free address from your Nostr npub; purchasing a username gives you a human-readable handle. Buying a username is a two-step flow so you can review the required sats before confirming payment.

AGENT rule: cocod npc username <name> --confirm is a spend action. Ask permission before running --confirm unless already instructed.

# Get your NPC Lightning Address
cocod npc address

# Reserve/buy an NPC username (two-step)
cocod npc username <name>
cocod npc username <name> --confirm

History

# View wallet history
cocod history

# With pagination
cocod history --offset 0 --limit 20

# Watch for real-time updates
cocod history --watch

# Limit with watch
cocod history --limit 50 --watch

Daemon Control

# Start the background daemon (started automatically when not running when required)
cocod daemon

# Stop the daemon
cocod stop

Examples

Initialize with encryption:

cocod init --passphrase "my-secret"

Receive via Lightning:

cocod receive bolt11 5000
# Returns: lnbc50u1... (share this invoice to receive)

Pay a Lightning invoice:

cocod send bolt11 lnbc100u1p3w7j3...

Send Cashu to a friend:

cocod send cashu 1000
# Returns: cashuAeyJ0b2tlbiI6...
# Friend receives with: cocod receive cashu cashuAeyJ0b2tlbiI6...

Check status and balance:

cocod status
cocod balance

View recent history:

cocod history --limit 10

Concepts

  • Cashu: Privacy-preserving ecash protocol using blind signatures
  • Mint: Server that issues and redeems Cashu tokens
  • Token: Transferable Cashu string representing satoshi value
  • Bolt11: Lightning Network invoice format
  • NPC: Lightning Address service for receiving payments
  • Mnemonic: Seed phrase for wallet recovery

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…