Cocod
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used incorrectly, the agent could help spend funds or expose wallet-sensitive information; Bitcoin/Lightning-style payments may not be reversible.
The skill handles wallet authority, spend actions, and sensitive wallet material. This is expected for a Cashu/Lightning wallet, and the artifact includes explicit safety instructions.
Always ask for explicit user permission before running any command/flow that can spend wallet funds... Treat `~/.cocod` as sensitive... including config, mnemonic material, wallet state
Approve each spend explicitly, verify payment amounts and invoices before confirming, and do not reveal mnemonics, passphrases, or raw ~/.cocod contents unless you intentionally choose a safe subset.
Your trust in this skill also depends on the cocod CLI package you install and run.
The skill relies on an external globally installed CLI package. That is central to the stated purpose, but the reviewed artifact does not include the CLI code itself.
bun install -g cocod
Install only from a trusted package source, verify the installed version matches the documented 0.0.15 requirement, and avoid using the wallet with significant funds until you trust the CLI.
A local wallet daemon may continue running after a task and maintain access to wallet state until stopped or locked.
The skill documents a background daemon that can run beyond a single command. This is disclosed and normal for some wallet tooling, but it is still persistence users should notice.
# Start the background daemon (started automatically when not running when required) cocod daemon # Stop the daemon cocod stop
Use `cocod status` to check daemon state and `cocod stop` when you no longer want the wallet daemon running.