ClawHub

Archon Cashu

Security checks across malware telemetry and agentic risk

Overview

This wallet skill mostly matches its stated purpose, but its backup flow can expose sensitive wallet data by uploading an unencrypted archive to IPFS while describing it as encrypted vault backup.

Review before installing. Only use this skill with small funds unless you are comfortable auditing the scripts. Do not run backup.sh as-is for a real wallet unless you first add client-side encryption or disable IPFS upload, and verify any npx package and config file paths before using fund-moving commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script states that wallet proofs are encrypted, but it creates a plain tar.gz archive and uploads it directly to IPFS. IPFS CIDs are content-addressed references, not encryption, so anyone who obtains the CID or accesses the local node/pinning path may retrieve sensitive wallet data and metadata.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The manifest implies backups go to a vault, but the implementation uploads full wallet backup contents to IPFS and stores only the CID in the vault. This broadens data exposure beyond the expected trust boundary and can mislead operators into believing data stays confined to the vault system.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script creates a bearer Cashu token and sends it as plain message content over dmail, while the skill metadata emphasizes DID-derived pubkey locking for P2PK-locked transfers. That mismatch is security-relevant: anyone who can read, intercept, log, or access the message body can redeem the value, so the transfer lacks the intended recipient binding and degrades to insecure bearer-token delivery.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The invocation language is broad enough to encourage use for general 'ecash wallet management' without specifying concrete triggers, approval requirements, or operation boundaries. In the context of a wallet skill, that can lead to overbroad autonomous execution of sensitive actions such as sending funds, minting, receiving, or backing up wallet material based on vague prompts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes wallet backup to a vault but does not warn that sensitive wallet data may be written to external storage, and the broader behavior indicates backup references may involve IPFS and other systems beyond a local wallet. For ecash wallets, unclear backup handling can expose spendable material or recovery artifacts to unintended parties, creating theft and privacy risks that users may not anticipate from the documentation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits wallet backup data and associated metadata over network interfaces without an explicit warning or informed consent at the point of backup. In a wallet context, silent external transfer of proofs, balances, hostnames, and paths increases the chance of privacy loss, credential-equivalent token exposure, and unexpected third-party storage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script creates a spendable Cashu token and prints it directly to stdout with no confirmation, redaction, or safer output handling. Because bearer-style ecash tokens are effectively the secret itself, accidental terminal logging, shell history capture, pipeline forwarding, or exposure through higher-level agent tooling can immediately enable unauthorized spending. The skill context makes this more dangerous because it is explicitly designed for token transfer and automation, increasing the chance that secrets are handled in chat, logs, or other untrusted channels.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically extracts token-like strings from recent Nostr DMs and passes them directly to the Cashu wallet receive command without user confirmation, sender validation, or strict format verification. In this skill's context, DMs are untrusted external input; auto-redeeming them can let an attacker trigger unwanted wallet actions, spam/error conditions, or trick the user into redeeming malicious or unintended tokens.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits the full ecash token as message content without any explicit warning that the body contains immediately redeemable monetary value. In this skill context, that is especially dangerous because users may assume DID-based protection from the package description, yet the message body contains a portable bearer asset that can be stolen through mailbox compromise, logging, forwarding, or copy/paste mistakes.

External Transmission

Medium
Category
Data Exfiltration
Content
echo "📌 IPFS CID: $IPFS_CID"
    
    # Store backup reference in vault via keymaster API
    STORE_RESULT=$(curl -s -X POST "http://localhost:4226/api/v1/vaults/$VAULT_DID" \
        -H "Content-Type: application/json" \
        -d "{\"key\": \"cashu-backup-${TIMESTAMP}\", \"value\": {\"cid\": \"$IPFS_CID\", \"timestamp\": \"$TIMESTAMP\", \"balance\": \"$BALANCE\", \"sha256\": \"$(sha256sum "$TARBALL" | cut -d' ' -f1)\"}}" 2>/dev/null)
Confidence
84% confidence
Finding
curl -s -X POST "http://localhost:4226/api/v1/vaults/$VAULT_DID" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal