Weave
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for Weave crypto invoice workflows, but users should verify package provenance and confirm payment details before creating invoices or quotes.
This skill appears appropriate for Weave crypto invoicing. Before installing, verify the Weave CLI package source; before use, confirm token/network choices, amounts, invoice IDs, wallet addresses, and refund addresses. Do not provide private keys, seed phrases, JWTs, or other secrets.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken invoice amount, token/network choice, or wallet/refund address could produce incorrect payment instructions.
The skill intentionally exposes CLI actions that create payment invoices and quotes. This matches the stated purpose, but payment-related tool use should be reviewed for correct amounts, tokens, networks, and addresses.
Use `weave` for full Weave Cash invoice lifecycle workflows: 1. Create an invoice (`weave create`) 2. Generate payment instructions (`weave quote`) 3. Track settlement (`weave status` or `weave status --watch`)
Confirm the user-provided amount, asset, network, wallet address, refund address, and invoice ID before running create or quote commands.
Installing the wrong or changed CLI package could alter invoice behavior or expose users to supply-chain risk.
The skill relies on external package-manager installs, including an unpinned `@latest` Go install and a global npm fallback. This is purpose-aligned and the skill says to ask before installing, but package provenance and version drift remain user-review points.
go install github.com/AryanJ-NYC/weave-cash/apps/cli/cmd/weave@latest ... npm i -g weave-cash-cli
Install only after explicit approval, verify the Go module/npm package owner, and consider pinning a known-good version when possible.
Wallet addresses, refund addresses, and optional buyer details may be sent to the Weave service as part of creating or quoting invoices.
Invoice creation requires payment addresses and may include buyer contact/address data that will be handled through the Weave CLI/API workflow. This is expected for the purpose, but it is still sensitive payment-related data.
Collect: `receive-token`, `amount`, `wallet-address` ... optional buyer fields (`description`, `buyer-name`, `buyer-email`, `buyer-address`)
Provide only the minimum buyer information needed, avoid private keys or secrets, and verify the intended Weave API endpoint before sending payment-related data.