Cashu
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherently about Cashu/Bitcoin payments, but it tells agents to bypass confirmations and automatically pay some requests, which could spend funds without clear user approval or limits.
Install only if you intentionally want an agent to help operate a Cashu wallet. Use a separate low-balance wallet, verify the `cashu` CLI source, and require manual approval with clear spend limits before any send, pay, melt, or automatic 402-payment flow.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could spend or move Cashu/Bitcoin funds without a final human confirmation from the CLI.
This makes confirmation-bypassing the default for wallet commands, including payment and send operations, without adding an explicit user-approval requirement or spending limit.
Always use the `--yes` (or `-y`) flag to skip interactive prompts and confirmations. This is **mandatory** for agent use
Require explicit user approval before every spend, set a maximum amount per action/session, and only use `--yes` after the user has approved the exact payment details.
A website or API response could cause the agent to make payments as part of an otherwise ordinary request flow.
The skill tells the agent to treat a remote server's 402 response and `X-Cashu` header as a trigger to pay automatically, with no stated checks for amount, recipient, domain trust, or user approval.
This pattern is agentic-friendly: handle 402 automatically, pay, retry — just like handling rate limits or auth redirects.
Do not auto-pay 402 responses by default; decode and display the request, verify the amount and mint, and ask the user before paying.
Anyone or anything operating this skill with access to the wallet directory may be able to view balances, create tokens, or pay invoices using that wallet.
The skill relies on local wallet data that can control spendable ecash and may include sensitive wallet information; this is expected for the stated wallet purpose but is high-value access.
`CASHU_DIR`: Directory for wallet data (typically `~/.cashu`).
Use a separate low-balance wallet for agent activity, protect backups and mnemonics, and avoid pointing the agent at a primary wallet.
The security of wallet operations depends on the installed `cashu` CLI package and its supply chain.
The skill installs an external CLI package without pinning a version in the install command; this is expected for a CLI-based wallet skill but leaves package provenance and version verification to the user.
"command": "pipx install cashu"
Verify the official Nutshell/Cashu package source, consider pinning a trusted version, and install with pipx in an isolated environment.