ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Archon Cashu

v0.1.0

Cashu ecash operations integrated with Archon DID for P2PK-locked tokens. Send and receive sats using DID-derived pubkeys, backup wallets to vault. Use for C...

0· 339·0 current·0 all-time
by@macterra
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description (Archon + Cashu DID/P2PK operations) align with the included scripts: send/receive/mint/lock/backup, DID resolution, and optional LNbits/npub.cash integrations. Requested env vars (wallet path, passphrase, config) and required binaries (cashu, node/npx for DID tooling, curl/jq) are expected for this scope.
!
Instruction Scope
Runtime instructions and scripts reference local Archon keymaster APIs and an IPFS daemon on localhost (expected for an Archon node), but the backup flow contradicts its own comment: backup.sh claims to 'encrypt' wallet proofs yet the script only tars and uploads the archive to IPFS (no encryption step). That could expose sensitive wallet data. Scripts also invoke npx --yes @didcid/keymaster at runtime, which will fetch and execute code from npm without prior installation or verification.
Install Mechanism
There is no formal install spec (instruction-only), but scripts rely on runtime package pulls (npx --yes ...) and on pip-installed 'cashu'. Using npx in this way is a de-facto runtime install that executes remote code; that increases risk compared to using preinstalled, pinned packages.
Credentials
Required env vars (ARCHON_WALLET_PATH, ARCHON_PASSPHRASE, ARCHON_CASHU_CONFIG) are appropriate for a wallet/Archon-integrated tool. The skill may also use LNbits credentials if configured, but those are optional. No unrelated cloud credentials are requested. However, the primary config file is written to/updated by scripts, and backups include metadata (hostname, sha256) that could leak system-identifying data.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes only to its own config file and uses local Archon APIs; it does not modify other skills or global agent settings.
What to consider before installing
This skill does what it says (Cashu + Archon DID operations) but has two practical risks you should weigh: 1) backup.sh advertises encryption but actually tars and uploads wallet data to IPFS (via a local IPFS API) without an encryption step — that can expose sensitive wallet data if your IPFS node is publicly accessible; 2) the scripts call npx --yes @didcid/keymaster (and other npx invocations), which will fetch and execute code from npm on demand with no verification. Before installing/using: (a) review the scripts in full and confirm an encryption step or add one yourself for backups (e.g., gpg/age encrypt the tarball before uploading); (b) run this skill only on a machine where running npx-installed tooling is acceptable (or preinstall and pin @didcid/keymaster and remove the npx calls); (c) ensure your IPFS node is private or avoid uploading unencrypted backups to IPFS; (d) verify local Archon keymaster endpoints (localhost:4224/4226) are the intended targets; and (e) consider testing in an isolated environment (VM or container) and auditing the npx package(s) the skill will pull.

Like a lobster shell, security has layers — review code before you run it.

latestvk97e0d6jxsmm2am8vwmgarqsyh81vraz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🥜 Clawdis
Binsnode, npx, cashu
Any bincurl, jq
EnvARCHON_WALLET_PATH, ARCHON_PASSPHRASE, ARCHON_CASHU_CONFIG
Primary envARCHON_CASHU_CONFIG

SKILL.md

Archon Cashu - DID-Integrated Ecash

Cashu ecash operations using your Archon DID for P2PK-locked tokens. Send sats that only the recipient's DID can unlock.

Prerequisites

  • Archon identity configured (~/.archon.env)
  • Cashu CLI installed (pip install cashu or similar)
  • Config file at ~/.config/archon/cashu.env (or ARCHON_CASHU_CONFIG)

Configuration

./scripts/cashu/config.sh

Sets up Cashu wallet and optional LNBITS integration.

Operations

Check Balance

./scripts/cashu/balance.sh

Send Tokens (Unlocked)

./scripts/cashu/send-unlocked.sh <amount>

Returns a Cashu token anyone can redeem.

Send Tokens (DID-Locked)

./scripts/cashu/send.sh <amount> <recipient-did>

Locks tokens to recipient's DID-derived pubkey (P2PK). Only they can unlock.

Receive Tokens

./scripts/cashu/receive.sh <token>

Mint Tokens (Lightning)

./scripts/cashu/mint.sh <amount>

Creates Lightning invoice to mint new tokens.

Lock/Unlock Tokens

./scripts/cashu/lock.sh <amount> <did>

Backup Wallet to Vault

./scripts/cashu/backup.sh [vault-did]

npub.cash Setup

./scripts/cashu/npub-cash-setup.sh

Configure npub.cash integration for Nostr zaps.

Security Notes

  1. Wallet location: ~/.cashu by default (configurable via CASHU_WALLET_DIR)

  2. P2PK locking: DID-locked tokens use your DID's secp256k1 key for cryptographic locking

  3. LNBITS integration: Optional — for auto-paying invoices during mint operations

Files

11 total
Select a file
Select a file to preview.

Comments

Loading comments…