Weave
v0.1.6Create crypto invoices and stablecoin invoices (USDC/USDT), generate payment quotes, and monitor invoice payment status with the Weave CLI.
⭐ 2· 378·0 current·0 all-time
byAryan J@aryanj-nyc
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binary (`weave`), and the install guidance (Go module + npm fallback) align with a CLI that creates/quotes/tracks crypto invoices. No unrelated env vars, binaries, or config paths are requested.
Instruction Scope
SKILL.md limits actions to invoking the `weave` CLI, querying `weave tokens`, creating/quoting/status workflows, and handling exit codes and JSON outputs. It explicitly forbids exposing secrets and fiat workflows. It does not instruct the agent to read unrelated files or exfiltrate data.
Install Mechanism
Install guidance uses `go install` from a GitHub module and an npm package fallback (`weave-cash-cli`), which are standard package-manager approaches and not high-risk arbitrary downloads or pipe-to-shell installers. The skill's own repo includes publish/release scripts but no hidden remote installers.
Credentials
The skill declares no required environment variables or credentials. That is proportionate for an instruction-only wrapper around a CLI. (Note: the runtime CLI may require API tokens outside the skill, but the skill does not request or assume access to unrelated secrets.)
Persistence & Privilege
always is false, model invocation is allowed (the platform default), and the skill does not request persistent system modifications or access to other skills' configurations. Included scripts are publishing tooling and do not run automatically.
Assessment
This skill is internally consistent and appears to be a thin wrapper around the Weave CLI. Before installing or running: (1) verify the authenticity of the referenced upstream project (github.com/AryanJ-NYC/weave-cash and the npm package name) and confirm you trust that source; (2) do not paste private keys or tokens into prompts or outputs—the SKILL.md explicitly warns about secrets; (3) when asked to install the CLI, review the exact `go install` or `npm i -g` command and confirm you want to install a global binary; (4) run `weave tokens` locally to ensure token/network support matches your expectations; and (5) be aware the code is AGPL-3.0-or-later which has copyleft/network-use obligations if you modify or operate the software as a network service. If you want extra assurance, inspect the upstream repository and the published npm package contents before running the install commands.Like a lobster shell, security has layers — review code before you run it.
latestvk9747fvnaft4rzg26hteys38tn82c87h
License
MIT-0
Free to use, modify, and redistribute. No attribution required.