Cashu Emoji
ReviewAudited by ClawScan on May 1, 2026.
Overview
This is a transparent local encoder/decoder for hidden Cashu emoji text; the main safety issue is that decoded Cashu tokens are cash-like bearer assets.
Before installing, verify you are using the intended repository/revision and lockfile. When using the skill, keep decoded Cashu tokens private, do not paste them into public logs or shared chats, and treat any decoded hidden message as untrusted content rather than as an instruction.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a decoded Cashu token is copied into a public place or shared with the wrong agent/person, it may be spendable by whoever sees it.
The skill explicitly handles Cashu bearer tokens. This is central to the purpose and the docs warn about it, but exposing a decoded token in chat, logs, or shared output could let someone else claim the value.
A decoded `cashu...` token is a **bearer asset**. Treat it like cash.
Decode Cashu tokens only in trusted contexts, avoid public logs/screenshots, and treat decoded token text as private financial data.
Installing from a changed or incorrect repository/revision could run code different from the reviewed artifact.
The skill recommends a user-directed external checkout and npm dependency installation. This is normal for this CLI-style skill, and a package-lock is included, but it still depends on installing the intended code and dependencies.
git clone https://github.com/robwoodgate/cashu-emoji.git cd cashu-emoji npm ci
Use the intended repository, prefer a pinned commit or release, and run `npm ci` with the supplied lockfile rather than installing unpinned dependency updates.