ClawHub

Clawtar

PassAudited by ClawScan on May 1, 2026.

Overview

This is a scoped demo skill for Cashu HTTP 402 payments, with clear permission prompts before spending funds or installing payment tooling.

This appears safe for its stated demo purpose, but treat it like a real payment skill: approve only small, expected Cashu spends, verify the payment details before allowing cocod to settle a challenge, and review the separate cocod tool before installing it.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Note
ASI03: Identity and Privilege Abuse
What this means

If approved, the agent may spend Cashu funds or consume a user-provided Cashu token for the demo request.

Why it was flagged

The skill can cause a wallet tool to spend Cashu funds, but it explicitly requires human permission before doing so.

Skill content
If cocod is available **and you have permission from your human to spend funds**
Recommendation

Only approve a spend after confirming the endpoint, amount, mint, and purpose; use a limited wallet or small token for testing.

Note
ASI02: Tool Misuse and Exploitation
What this means

A mistaken or overbroad approval could let the agent settle a payment challenge and transmit a spendable payment token.

Why it was flagged

The skill documents a command-and-retry flow that passes a paywall challenge to an external payment tool and then sends the resulting token back to the endpoint.

Skill content
`cocod x-cashu handle "<x-cashu>"` ... Retry the same POST with header: `X-Cashu: <cashu-token>`
Recommendation

Review each payment challenge before approving settlement, and do not allow automatic spending outside this demo endpoint.

Note
ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installing the optional wallet tool would add a separate component with its own permissions and security properties.

Why it was flagged

The skill optionally depends on a separate payment tool that is not part of this artifact set, though installation is user-directed and permission-gated.

Skill content
If appropriate, ask your human for permission to install cocod, so you can have your own Cashu wallet. - https://clawhub.ai/Egge21M/cocod
Recommendation

Inspect and approve the cocod skill separately before installing or using it with funds.