← 返回 Skills 市场
macterra

Archon Cashu

作者 macterra · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
438
总下载
0
收藏
0
当前安装
1
版本数
在 OpenClaw 中安装
/install archon-cashu
功能描述
Cashu ecash operations integrated with Archon DID for P2PK-locked tokens. Send and receive sats using DID-derived pubkeys, backup wallets to vault. Use for C...
使用说明 (SKILL.md)

Archon Cashu - DID-Integrated Ecash

Cashu ecash operations using your Archon DID for P2PK-locked tokens. Send sats that only the recipient's DID can unlock.

Prerequisites

  • Archon identity configured (~/.archon.env)
  • Cashu CLI installed (pip install cashu or similar)
  • Config file at ~/.config/archon/cashu.env (or ARCHON_CASHU_CONFIG)

Configuration

./scripts/cashu/config.sh

Sets up Cashu wallet and optional LNBITS integration.

Operations

Check Balance

./scripts/cashu/balance.sh

Send Tokens (Unlocked)

./scripts/cashu/send-unlocked.sh \x3Camount>

Returns a Cashu token anyone can redeem.

Send Tokens (DID-Locked)

./scripts/cashu/send.sh \x3Camount> \x3Crecipient-did>

Locks tokens to recipient's DID-derived pubkey (P2PK). Only they can unlock.

Receive Tokens

./scripts/cashu/receive.sh \x3Ctoken>

Mint Tokens (Lightning)

./scripts/cashu/mint.sh \x3Camount>

Creates Lightning invoice to mint new tokens.

Lock/Unlock Tokens

./scripts/cashu/lock.sh \x3Camount> \x3Cdid>

Backup Wallet to Vault

./scripts/cashu/backup.sh [vault-did]

npub.cash Setup

./scripts/cashu/npub-cash-setup.sh

Configure npub.cash integration for Nostr zaps.

Security Notes

  1. Wallet location: ~/.cashu by default (configurable via CASHU_WALLET_DIR)

  2. P2PK locking: DID-locked tokens use your DID's secp256k1 key for cryptographic locking

  3. LNBITS integration: Optional — for auto-paying invoices during mint operations

安全使用建议
This skill does what it says (Cashu + Archon DID operations) but has two practical risks you should weigh: 1) backup.sh advertises encryption but actually tars and uploads wallet data to IPFS (via a local IPFS API) without an encryption step — that can expose sensitive wallet data if your IPFS node is publicly accessible; 2) the scripts call npx --yes @didcid/keymaster (and other npx invocations), which will fetch and execute code from npm on demand with no verification. Before installing/using: (a) review the scripts in full and confirm an encryption step or add one yourself for backups (e.g., gpg/age encrypt the tarball before uploading); (b) run this skill only on a machine where running npx-installed tooling is acceptable (or preinstall and pin @didcid/keymaster and remove the npx calls); (c) ensure your IPFS node is private or avoid uploading unencrypted backups to IPFS; (d) verify local Archon keymaster endpoints (localhost:4224/4226) are the intended targets; and (e) consider testing in an isolated environment (VM or container) and auditing the npx package(s) the skill will pull.
功能分析
Type: OpenClaw Skill Name: archon-cashu Version: 0.1.0 The skill bundle is classified as suspicious due to several critical vulnerabilities and risky practices, primarily involving arbitrary command execution and supply chain risks. The `CASHU_BIN` variable, sourced from a user-configurable `CONFIG_FILE`, is executed throughout the scripts (e.g., `balance.sh`, `mint.sh`, `receive.sh`), allowing for potential Remote Code Execution if an attacker can control the configuration. Additionally, the use of `npx --yes @didcid/keymaster` in `backup.sh` and `receive.sh` introduces a significant supply chain risk, as it automatically downloads and executes an external package. The `backup.sh` script also allows for arbitrary file copying via the configurable `CASHU_WALLET_DIR`, potentially exfiltrating sensitive data if an attacker can manipulate this path. While the stated purpose is benign, these implementation flaws present high-severity attack vectors.
能力评估
Purpose & Capability
Name/description (Archon + Cashu DID/P2PK operations) align with the included scripts: send/receive/mint/lock/backup, DID resolution, and optional LNbits/npub.cash integrations. Requested env vars (wallet path, passphrase, config) and required binaries (cashu, node/npx for DID tooling, curl/jq) are expected for this scope.
Instruction Scope
Runtime instructions and scripts reference local Archon keymaster APIs and an IPFS daemon on localhost (expected for an Archon node), but the backup flow contradicts its own comment: backup.sh claims to 'encrypt' wallet proofs yet the script only tars and uploads the archive to IPFS (no encryption step). That could expose sensitive wallet data. Scripts also invoke npx --yes @didcid/keymaster at runtime, which will fetch and execute code from npm without prior installation or verification.
Install Mechanism
There is no formal install spec (instruction-only), but scripts rely on runtime package pulls (npx --yes ...) and on pip-installed 'cashu'. Using npx in this way is a de-facto runtime install that executes remote code; that increases risk compared to using preinstalled, pinned packages.
Credentials
Required env vars (ARCHON_WALLET_PATH, ARCHON_PASSPHRASE, ARCHON_CASHU_CONFIG) are appropriate for a wallet/Archon-integrated tool. The skill may also use LNbits credentials if configured, but those are optional. No unrelated cloud credentials are requested. However, the primary config file is written to/updated by scripts, and backups include metadata (hostname, sha256) that could leak system-identifying data.
Persistence & Privilege
The skill is not always-enabled and does not request elevated platform privileges. It writes only to its own config file and uses local Archon APIs; it does not modify other skills or global agent settings.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install archon-cashu
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /archon-cashu 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
Initial release of archon-cashu: DID-integrated Cashu ecash skill. - Integrates Cashu ecash token operations with Archon DID for P2PK-locked (public key-locked) tokens. - Supports sending and receiving sats using DID-derived public keys, enabling DID-locked payments. - Provides wallet backup to vault and Nostr npub.cash integration for zaps. - Includes scripts for minting, locking/unlocking, sending (standard and DID-locked), and wallet management. - Requires Archon config, passphrase, and Cashu setup; supports LNBITS integration as optional feature.
元数据
Slug archon-cashu
版本 0.1.0
许可证
累计安装 0
当前安装数 0
历史版本数 1
常见问题

Archon Cashu 是什么?

Cashu ecash operations integrated with Archon DID for P2PK-locked tokens. Send and receive sats using DID-derived pubkeys, backup wallets to vault. Use for C... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 438 次。

如何安装 Archon Cashu?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install archon-cashu」即可一键安装,无需额外配置。

Archon Cashu 是免费的吗?

是的,Archon Cashu 完全免费(开源免费),可自由下载、安装和使用。

Archon Cashu 支持哪些平台?

Archon Cashu 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Archon Cashu?

由 macterra(@macterra)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463368 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259467 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200457 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191163 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190189 · by oswalpalash

💬 留言讨论