← Back to Skills Marketplace
macterra

Archon Cashu

by macterra · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
438
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install archon-cashu
Description
Cashu ecash operations integrated with Archon DID for P2PK-locked tokens. Send and receive sats using DID-derived pubkeys, backup wallets to vault. Use for C...
README (SKILL.md)

Archon Cashu - DID-Integrated Ecash

Cashu ecash operations using your Archon DID for P2PK-locked tokens. Send sats that only the recipient's DID can unlock.

Prerequisites

  • Archon identity configured (~/.archon.env)
  • Cashu CLI installed (pip install cashu or similar)
  • Config file at ~/.config/archon/cashu.env (or ARCHON_CASHU_CONFIG)

Configuration

./scripts/cashu/config.sh

Sets up Cashu wallet and optional LNBITS integration.

Operations

Check Balance

./scripts/cashu/balance.sh

Send Tokens (Unlocked)

./scripts/cashu/send-unlocked.sh \x3Camount>

Returns a Cashu token anyone can redeem.

Send Tokens (DID-Locked)

./scripts/cashu/send.sh \x3Camount> \x3Crecipient-did>

Locks tokens to recipient's DID-derived pubkey (P2PK). Only they can unlock.

Receive Tokens

./scripts/cashu/receive.sh \x3Ctoken>

Mint Tokens (Lightning)

./scripts/cashu/mint.sh \x3Camount>

Creates Lightning invoice to mint new tokens.

Lock/Unlock Tokens

./scripts/cashu/lock.sh \x3Camount> \x3Cdid>

Backup Wallet to Vault

./scripts/cashu/backup.sh [vault-did]

npub.cash Setup

./scripts/cashu/npub-cash-setup.sh

Configure npub.cash integration for Nostr zaps.

Security Notes

  1. Wallet location: ~/.cashu by default (configurable via CASHU_WALLET_DIR)

  2. P2PK locking: DID-locked tokens use your DID's secp256k1 key for cryptographic locking

  3. LNBITS integration: Optional — for auto-paying invoices during mint operations

Usage Guidance
This skill does what it says (Cashu + Archon DID operations) but has two practical risks you should weigh: 1) backup.sh advertises encryption but actually tars and uploads wallet data to IPFS (via a local IPFS API) without an encryption step — that can expose sensitive wallet data if your IPFS node is publicly accessible; 2) the scripts call npx --yes @didcid/keymaster (and other npx invocations), which will fetch and execute code from npm on demand with no verification. Before installing/using: (a) review the scripts in full and confirm an encryption step or add one yourself for backups (e.g., gpg/age encrypt the tarball before uploading); (b) run this skill only on a machine where running npx-installed tooling is acceptable (or preinstall and pin @didcid/keymaster and remove the npx calls); (c) ensure your IPFS node is private or avoid uploading unencrypted backups to IPFS; (d) verify local Archon keymaster endpoints (localhost:4224/4226) are the intended targets; and (e) consider testing in an isolated environment (VM or container) and auditing the npx package(s) the skill will pull.
Capability Analysis
Type: OpenClaw Skill Name: archon-cashu Version: 0.1.0 The skill bundle is classified as suspicious due to several critical vulnerabilities and risky practices, primarily involving arbitrary command execution and supply chain risks. The `CASHU_BIN` variable, sourced from a user-configurable `CONFIG_FILE`, is executed throughout the scripts (e.g., `balance.sh`, `mint.sh`, `receive.sh`), allowing for potential Remote Code Execution if an attacker can control the configuration. Additionally, the use of `npx --yes @didcid/keymaster` in `backup.sh` and `receive.sh` introduces a significant supply chain risk, as it automatically downloads and executes an external package. The `backup.sh` script also allows for arbitrary file copying via the configurable `CASHU_WALLET_DIR`, potentially exfiltrating sensitive data if an attacker can manipulate this path. While the stated purpose is benign, these implementation flaws present high-severity attack vectors.
Capability Assessment
Purpose & Capability
Name/description (Archon + Cashu DID/P2PK operations) align with the included scripts: send/receive/mint/lock/backup, DID resolution, and optional LNbits/npub.cash integrations. Requested env vars (wallet path, passphrase, config) and required binaries (cashu, node/npx for DID tooling, curl/jq) are expected for this scope.
Instruction Scope
Runtime instructions and scripts reference local Archon keymaster APIs and an IPFS daemon on localhost (expected for an Archon node), but the backup flow contradicts its own comment: backup.sh claims to 'encrypt' wallet proofs yet the script only tars and uploads the archive to IPFS (no encryption step). That could expose sensitive wallet data. Scripts also invoke npx --yes @didcid/keymaster at runtime, which will fetch and execute code from npm without prior installation or verification.
Install Mechanism
There is no formal install spec (instruction-only), but scripts rely on runtime package pulls (npx --yes ...) and on pip-installed 'cashu'. Using npx in this way is a de-facto runtime install that executes remote code; that increases risk compared to using preinstalled, pinned packages.
Credentials
Required env vars (ARCHON_WALLET_PATH, ARCHON_PASSPHRASE, ARCHON_CASHU_CONFIG) are appropriate for a wallet/Archon-integrated tool. The skill may also use LNbits credentials if configured, but those are optional. No unrelated cloud credentials are requested. However, the primary config file is written to/updated by scripts, and backups include metadata (hostname, sha256) that could leak system-identifying data.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes only to its own config file and uses local Archon APIs; it does not modify other skills or global agent settings.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install archon-cashu
  3. After installation, invoke the skill by name or use /archon-cashu
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v0.1.0
Initial release of archon-cashu: DID-integrated Cashu ecash skill. - Integrates Cashu ecash token operations with Archon DID for P2PK-locked (public key-locked) tokens. - Supports sending and receiving sats using DID-derived public keys, enabling DID-locked payments. - Provides wallet backup to vault and Nostr npub.cash integration for zaps. - Includes scripts for minting, locking/unlocking, sending (standard and DID-locked), and wallet management. - Requires Archon config, passphrase, and Cashu setup; supports LNBITS integration as optional feature.
Metadata
Slug archon-cashu
Version 0.1.0
License
All-time Installs 0
Active Installs 0
Total Versions 1
Frequently Asked Questions

What is Archon Cashu?

Cashu ecash operations integrated with Archon DID for P2PK-locked tokens. Send and receive sats using DID-derived pubkeys, backup wallets to vault. Use for C... It is an AI Agent Skill for Claude Code / OpenClaw, with 438 downloads so far.

How do I install Archon Cashu?

Run "/install archon-cashu" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Archon Cashu free?

Yes, Archon Cashu is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Archon Cashu support?

Archon Cashu is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Archon Cashu?

It is built and maintained by macterra (@macterra); the current version is v0.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463815 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259802 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200680 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191345 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190333 · by oswalpalash

💬 Comments