Back to skill
Skillv0.1.0
VirusTotal security
Archon Cashu · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:34 AM
- Hash
- b222fa039b4cbcbae28cb2adfd9e730371254a92e34417ff4731d7ada0445f8f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: archon-cashu Version: 0.1.0 The skill bundle is classified as suspicious due to several critical vulnerabilities and risky practices, primarily involving arbitrary command execution and supply chain risks. The `CASHU_BIN` variable, sourced from a user-configurable `CONFIG_FILE`, is executed throughout the scripts (e.g., `balance.sh`, `mint.sh`, `receive.sh`), allowing for potential Remote Code Execution if an attacker can control the configuration. Additionally, the use of `npx --yes @didcid/keymaster` in `backup.sh` and `receive.sh` introduces a significant supply chain risk, as it automatically downloads and executes an external package. The `backup.sh` script also allows for arbitrary file copying via the configurable `CASHU_WALLET_DIR`, potentially exfiltrating sensitive data if an attacker can manipulate this path. While the stated purpose is benign, these implementation flaws present high-severity attack vectors.
- External report
- View on VirusTotal