ClawHub

Cocod

v0.0.15

A Cashu ecash wallet CLI for Bitcoin and Lightning payments. Use when managing Cashu tokens, sending/receiving payments via Lightning (bolt11) or ecash, hand...

3· 2k·0 current·0 all-time
byEgge@egge21m
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Skill name/description match the instructions: all runtime actions are cocod CLI operations for managing Cashu ecash and Lightning payments. Nothing unrelated (e.g., cloud creds or unrelated system access) is requested.
Instruction Scope
SKILL.md confines the agent to running cocod commands and handling X-Cashu 402 flows. It explicitly marks wallet data (~/.cocod) as sensitive and requires explicit user permission before spending — no instructions ask the agent to read unrelated files or exfiltrate data.
Install Mechanism
The skill is instruction-only (no install spec). SKILL.md recommends installing the CLI via `bun install -g cocod`. That is reasonable but the registry metadata does not declare required binaries; the agent will need cocod (and bun/npm) available — verify you install cocod from a trusted source and that bun is appropriate for your environment.
Credentials
No env vars or credentials are declared, which matches the skill being a thin CLI wrapper. However, the skill operates on wallet data (~/.cocod) and can spend funds if commands are executed; access to that local wallet file is inherently sensitive and the SKILL.md appropriately warns about it.
Persistence & Privilege
The skill does not request permanent presence (always=false) and does not modify other skills or global agent settings. It relies on invoking the local cocod CLI when needed.
Assessment
This skill is a set of instructions for using the cocod CLI — it itself doesn't include code or request credentials. Before installing/using: (1) ensure you install cocod from a trusted package source and the version matches the skill's pinned version; (2) understand that the agent will run local cocod commands which can spend funds — only allow spend actions with explicit user confirmation; (3) keep your ~/.cocod wallet files and mnemonic safe and verify the CLI binary (checksum/signature) if possible; (4) if you prefer, run the CLI in an isolated environment (container or dedicated machine) to limit blast radius.

Like a lobster shell, security has layers — review code before you run it.

latestvk972v77cqagx6tjjh9tg4zmbv583xy4d
2kdownloads
3stars
8versions
Updated 3w ago
v0.0.15
MIT-0
Egge@egge21m
latest
Download

Cocod - Cashu Wallet CLI

Cocod is a Cashu wallet for managing ecash tokens and making Bitcoin/Lightning payments. It uses the Cashu protocol for privacy-preserving ecash transactions.

If a web/API request returns HTTP 402 Payment Required with an X-Cashu header, use this skill to parse and settle the request with cocod.

Agent Safety Policy (Required)

When acting as an AGENT with this skill:

  • Always ask for explicit user permission before running any command/flow that can spend wallet funds, unless the user has already clearly instructed you to execute that spend action.
  • Prefer preview/inspection commands before execution whenever available. For example, run cocod x-cashu parse <request> to inspect costs and requirements before cocod x-cashu handle <request>.
  • Treat ~/.cocod as sensitive. Never log, print, or expose its contents (including config, mnemonic material, wallet state, sockets, and pid files) unless the user explicitly requests a specific safe subset.
  • Always surface issues and errors encountered while using the CLI or this skill. Do not hide failures behind partial success messaging.
  • Do not manually work around CLI issues, missing behavior, or unexpected command failures without explicit user permission.

What is Cashu?

Cashu is a Chaumian ecash protocol that lets you hold and transfer Bitcoin-backed tokens privately. It enables unlinkable transactions using blind signatures.

Installation

# Install cocod CLI
bun install -g cocod

Version Compatibility

This skill is version-pinned to an exact cocod CLI release.

  • metadata.skill_version must match the npm package version.
  • metadata.requires_cocod_version is pinned to that exact same version.

Check your installed CLI version:

cocod --version

If the version does not match the pinned values in this file, update cocod before using this skill.

Quick Start

# Initialize your wallet (generates mnemonic automatically)
cocod init

# Or with a custom mint
cocod init --mint-url https://mint.example.com

# Check balance
cocod balance

Commands

Core Wallet

# Check daemon and wallet status
cocod status

# Initialize wallet with optional mnemonic
cocod init [mnemonic] [--passphrase <passphrase>] [--mint-url <url>]

# Unlock encrypted wallet (only required when initialised with passphrase)
cocod unlock <passphrase>

# Get wallet balance
cocod balance

# Test daemon connection
cocod ping

Receiving Payments

# Receive Cashu token
cocod receive cashu <token>

# Create Lightning invoice to receive
cocod receive bolt11 <amount> [--mint-url <url>]

Sending Payments

AGENT rule: commands in this section spend wallet funds. Ask for permission first unless the user already explicitly requested the spend action.

# Create Cashu token to send to someone
cocod send cashu <amount> [--mint-url <url>]

# Pay a Lightning invoice
cocod send bolt11 <invoice> [--mint-url <url>]

HTTP 402 Web Payments (NUT-24)

Use these commands when a server responds with HTTP 402 and an X-Cashu payment request.

AGENT rule: cocod x-cashu handle <request> can spend funds. Prefer cocod x-cashu parse <request> first to preview amount/requirements, then ask permission before handling unless already instructed.

# Parse an encoded X-Cashu request from a 402 response header
cocod x-cashu parse <request>

# Settle the request and get an X-Cashu payment header value
cocod x-cashu handle <request>

Typical flow:

  1. Read X-Cashu from the 402 response.
  2. Run cocod x-cashu parse <request> to inspect amount and mint requirements.
  3. Run cocod x-cashu handle <request> to generate payment token header value.
  4. Retry the original web request with returned X-Cashu: cashuB... header.

Mints

# Add a mint URL
cocod mints add <url>

# List configured mints
cocod mints list

# Get mint information
cocod mints info <url>

Lightning Address (NPC)

Lightning Addresses are email-style identifiers (like name@npubx.cash) that let others pay you over Lightning. If you have not purchased a username, NPC provides a free address from your Nostr npub; purchasing a username gives you a human-readable handle. Buying a username is a two-step flow so you can review the required sats before confirming payment.

AGENT rule: cocod npc username <name> --confirm is a spend action. Ask permission before running --confirm unless already instructed.

# Get your NPC Lightning Address
cocod npc address

# Reserve/buy an NPC username (two-step)
cocod npc username <name>
cocod npc username <name> --confirm

History

# View wallet history
cocod history

# With pagination
cocod history --offset 0 --limit 20

# Watch for real-time updates
cocod history --watch

# Limit with watch
cocod history --limit 50 --watch

Daemon Control

# Start the background daemon (started automatically when not running when required)
cocod daemon

# Stop the daemon
cocod stop

Examples

Initialize with encryption:

cocod init --passphrase "my-secret"

Receive via Lightning:

cocod receive bolt11 5000
# Returns: lnbc50u1... (share this invoice to receive)

Pay a Lightning invoice:

cocod send bolt11 lnbc100u1p3w7j3...

Send Cashu to a friend:

cocod send cashu 1000
# Returns: cashuAeyJ0b2tlbiI6...
# Friend receives with: cocod receive cashu cashuAeyJ0b2tlbiI6...

Check status and balance:

cocod status
cocod balance

View recent history:

cocod history --limit 10

Concepts

  • Cashu: Privacy-preserving ecash protocol using blind signatures
  • Mint: Server that issues and redeems Cashu tokens
  • Token: Transferable Cashu string representing satoshi value
  • Bolt11: Lightning Network invoice format
  • NPC: Lightning Address service for receiving payments
  • Mnemonic: Seed phrase for wallet recovery

Comments

Loading comments...