ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Cashu Emoji

v0.1.0

Encode and decode Cashu tokens that are hidden inside emojis using Unicode variation selectors.

0· 587·1 current·1 all-time
byRob Woodgate@robwoodgate
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match included code and CLI: encode/decode text in emoji variation selectors. The only declared dependency (@cashu/cashu-ts) is used solely to parse token metadata locally, which aligns with the described optional --metadata feature.
Instruction Scope
SKILL.md and the CLI instruct cloning, npm ci, and running the provided CLI. Runtime actions are limited to reading input (arg or stdin), encoding/decoding variation selector bytes, and optionally calling getTokenMetadata() from @cashu/cashu-ts. The README warns that decoded cashu tokens are bearer assets.
Install Mechanism
This is instruction-only for the agent (no platform install spec), but the Quickstart recommends running npm ci which will fetch packages from the npm registry (not an arbitrary URL). That network fetch is expected for a Node CLI that depends on @cashu/cashu-ts.
Credentials
No environment variables, no secrets, and no config paths are requested. The dependency list is reasonable for the stated functionality and is limited to crypto/token parsing libraries used only for local metadata parsing.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not modify other skills or system settings. Autonomous invocation is allowed by default (normal for skills) but not excessive here.
Assessment
This skill appears coherent: it decodes/encodes hidden text in emojis and only optionally uses @cashu/cashu-ts to parse token metadata locally. Before installing: 1) Be aware decoded cashu tokens are bearer assets—treat them like cash (don’t paste into public logs). 2) npm ci will fetch dependencies from the npm registry; review/verify @cashu/cashu-ts if you don’t trust that package. 3) Ensure your runtime Node version satisfies dependency engine constraints. If you want tighter containment, run the CLI in a sandboxed environment so decoded tokens cannot be accidentally transmitted by other software or services.

Like a lobster shell, security has layers — review code before you run it.

latestvk97chnnkptr27mk091xewghxkd8188jp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🥜 Clawdis

Comments