← 返回 Skills 市场

Cashu Emoji

Name: Cashu Emoji
Author: robwoodgate

作者 Rob Woodgate · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

693

总下载

当前安装

版本数

在 OpenClaw 中安装

/install cashu-emoji

功能描述

Encode and decode Cashu tokens that are hidden inside emojis using Unicode variation selectors.

使用说明 (SKILL.md)

Cashu Emoji Tokens (Variation Selector encoding)

This skill helps agents decode Cashu tokens received as emoji (and encode tokens for sending), and it also supports general hidden messages inside emojis.

If the decoded text starts with cashu, it’s likely a Cashu token. Otherwise treat it as a plain hidden message.

Why this exists

Some services embed a cashu... token into an emoji using Unicode variation selectors (VS1..VS256). Chat apps often display only the emoji, but preserve the hidden selector characters.

Important: many messengers can truncate or normalize Unicode. If the variation selectors are lost, the embedded token cannot be recovered.

Quickstart (copy/paste)

git clone https://github.com/robwoodgate/cashu-emoji.git
cd cashu-emoji
npm ci

# decode a whole message (recommended)
node ./bin/cashu-emoji.js decode "\x3Cpaste message>"

# decode and print mint/unit/amount if it’s a cashu token
node ./bin/cashu-emoji.js decode "\x3Cpaste message>" --metadata

# decode as structured JSON (agent-friendly)
node ./bin/cashu-emoji.js decode "\x3Cpaste message>" --metadata --json

# encode a hidden message
node ./bin/cashu-emoji.js encode "🥜" "hello from inside an emoji"

# encode a cashu token
node ./bin/cashu-emoji.js encode "🥜" "cashuB..."

What you can do

1) Decode

Input: entire message text (may include other text/emojis)
Output: the embedded UTF‑8 text, usually a cashuA.../cashuB... token

node ./bin/cashu-emoji.js decode "\x3Cpaste entire message>"

Decode semantics (important): the decoder ignores normal characters until it finds the first variation-selector byte, then collects bytes until the first normal character after that payload begins.

2) Encode

Input: a carrier emoji (recommend 🥜) and a token string
Output: an emoji string that visually looks like the emoji but contains the hidden token

node ./bin/cashu-emoji.js encode "🥜" "cashuB..."

Tip: some messengers are less likely to deliver a truncated/corrupted emoji-token if any normal text follows it (even a single character). It’s not required, just a delivery reliability trick.

Tip (Telegram): sending the emoji-token inside a code block / “monospace” formatting can help preserve the hidden characters and makes it easier to tap-to-copy.

Optional metadata

To sanity-check the decoded token without redeeming it, you can request metadata.

For programmatic/agent use, prefer JSON output:

node ./bin/cashu-emoji.js decode "\x3Cmessage>" --metadata --json

Example JSON response (Cashu token):

{
  "text": "cashuB...",
  "isCashu": true,
  "metadata": {
    "mint": "https://mint.example",
    "unit": "sat",
    "amount": 21
  },
  "metadataError": null
}

Example JSON response (plain hidden message):

{
  "text": "hello from inside an emoji",
  "isCashu": false
}

node ./bin/cashu-emoji.js decode "\x3Cmessage>" --metadata

This prints mint/unit/amount using @cashu/cashu-ts getTokenMetadata() (no mint calls).

Cashu gotchas for new agents

A decoded cashu... token is a bearer asset. Treat it like cash.
--metadata is a local parse. It can’t prove the token is unspent/valid.
If decode returns a partial token or nonsense, the messenger likely munged the variation selectors; ask for the token to be re-sent (often with some trailing normal text after the emoji token).

Files

src/emoji-encoder.ts: core encode/decode
bin/cashu-emoji.js: CLI wrapper
examples/: test vectors

Safety

This tool only encodes/decodes text. It does not spend funds.

安全使用建议

This skill appears coherent: it decodes/encodes hidden text in emojis and only optionally uses @cashu/cashu-ts to parse token metadata locally. Before installing: 1) Be aware decoded cashu tokens are bearer assets—treat them like cash (don’t paste into public logs). 2) npm ci will fetch dependencies from the npm registry; review/verify @cashu/cashu-ts if you don’t trust that package. 3) Ensure your runtime Node version satisfies dependency engine constraints. If you want tighter containment, run the CLI in a sandboxed environment so decoded tokens cannot be accidentally transmitted by other software or services.

功能分析

Type: OpenClaw Skill Name: cashu-emoji Version: 0.1.0 The core functionality of encoding and decoding text into emojis using Unicode variation selectors is benign. However, the `SKILL.md` (and `README.md`) contains 'Quickstart' instructions that, if interpreted and executed by an AI agent, pose a prompt injection vulnerability. Specifically, `git clone https://github.com/robwoodgate/cashu-emoji.git` and `npm ci` instruct the agent to perform external network operations and potentially execute arbitrary code (via `npm ci`'s lifecycle scripts), which are risky capabilities without clear malicious intent in the current context.

能力评估

✓ Purpose & Capability

Name/description match included code and CLI: encode/decode text in emoji variation selectors. The only declared dependency (@cashu/cashu-ts) is used solely to parse token metadata locally, which aligns with the described optional --metadata feature.

✓ Instruction Scope

SKILL.md and the CLI instruct cloning, npm ci, and running the provided CLI. Runtime actions are limited to reading input (arg or stdin), encoding/decoding variation selector bytes, and optionally calling getTokenMetadata() from @cashu/cashu-ts. The README warns that decoded cashu tokens are bearer assets.

ℹ Install Mechanism

This is instruction-only for the agent (no platform install spec), but the Quickstart recommends running npm ci which will fetch packages from the npm registry (not an arbitrary URL). That network fetch is expected for a Node CLI that depends on @cashu/cashu-ts.

✓ Credentials

No environment variables, no secrets, and no config paths are requested. The dependency list is reasonable for the stated functionality and is limited to crypto/token parsing libraries used only for local metadata parsing.

✓ Persistence & Privilege

The skill does not request permanent presence (always: false) and does not modify other skills or system settings. Autonomous invocation is allowed by default (normal for skills) but not excessive here.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install cashu-emoji
安装完成后，直接呼叫该 Skill 的名称或使用 /cashu-emoji 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v0.1.0

Initial release of cashu-emoji. - Encode Cashu tokens or any hidden message inside emojis using Unicode variation selectors. - Decode emoji messages to extract embedded Cashu tokens or plain hidden text. - Detect Cashu tokens (text starts with `cashu`) and provide optional mint/unit/amount metadata. - Supports structured JSON output for agent/programmatic use. - CLI includes encode and decode commands with metadata and formatting options. - Designed to help safely transmit hidden tokens/messages through chat apps.

元数据

Slug cashu-emoji

版本 0.1.0

许可证 —

累计安装 1

当前安装数 1

历史版本数 1

常见问题

Cashu Emoji 是什么？

Encode and decode Cashu tokens that are hidden inside emojis using Unicode variation selectors. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 693 次。

如何安装 Cashu Emoji？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install cashu-emoji」即可一键安装，无需额外配置。

Cashu Emoji 是免费的吗？

是的，Cashu Emoji 完全免费（开源免费），可自由下载、安装和使用。

Cashu Emoji 支持哪些平台？

Cashu Emoji 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Cashu Emoji？

由 Rob Woodgate（@robwoodgate）开发并维护，当前版本 v0.1.0。