Is a1denvalu3/cashu safe?

The skill embeds an explicit instruction in SKILL.md that agents MUST pass --yes to every cashu command. This is framed as non-optional ('mandatory for agent use') to prevent 'hanging.' The effect is that the agent will execute all fund transfers — send, pay, melt — without any confirmation dialog or user approval. For a financial instrument controlling real Bitcoin, this is a critical safety gap embedded directly in the injected skill text.

The skill includes an explicit 'Agentic Pattern' section instructing the agent to detect HTTP 402 responses with X-Cashu headers and immediately pay them without consulting the user, then retry the original request. The skill explicitly frames this as equivalent to handling auth redirects or rate limits — collapsing the conceptual distinction between financial and non-financial network operations. Any attacker who can make the agent call a URL they control can trigger payment.

When this skill is active alongside any skill that makes HTTP requests (web browsing, API calls, tool use), a malicious server can silently drain the user's ecash wallet. The attack chain: (1) user asks agent to fetch data from any URL, (2) attacker-controlled endpoint returns HTTP 402 with X-Cashu header pointing to attacker's mint, (3) agent pays without confirmation per skill instructions, (4) agent retries with token. Entire flow is invisible to user. No confirmation step exists in the prescribed flow.

The skill manages a live Bitcoin/ecash wallet at ~/.cashu containing real funds. The skill provides no guidance on transaction amount limits, user confirmation thresholds, or per-session spending caps. Any attacker who can trigger the 402 flow or directly instruct the agent to 'send' can move arbitrary amounts up to the wallet balance without user awareness.

A well-designed financial skill for agent use should include explicit guidance to confirm amounts with the user before execution, set per-session limits, and log all transactions. This skill does the opposite: it mandates confirmation bypass and frames automated payment as the desired behavior. There is no defensive guidance for the agent anywhere in the skill.

The skill's LNURL section instructs the agent to create a static Lightning Address (e.g., [email protected]) for the user's wallet. This persistent address can be used to correlate all incoming payments across sessions, de-anonymize the user's financial activity, and link the wallet to a stable identifier — undermining the privacy properties of Cashu/ecash.

The skill's install step runs 'pipx install cashu' from PyPI. While the nutshell/cashu project at cashubtc/nutshell is legitimate, PyPI package names can be squatted and packages can be compromised post-publication. If the 'cashu' package on PyPI is ever compromised, the install step would execute attacker code in the user's environment.

Four versions published in approximately 5 days (0.18.6, 0.19.4, 0.19.5, 0.19.6) from an author listed only as 'OpenClaw User' with no public identity or changelog. Rapid iteration on a skill that embeds behavioral instructions around financial operations is a yellow flag for iterative refinement of manipulation techniques.

During installation monitoring, the only external network connection observed was to 140.82.121.4:443 (GitHub HTTPS) for the git sparse-checkout clone. No connections to third-party servers, C2 infrastructure, or unexpected destinations were detected.

Honeypot canary files were placed at .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .gcloud/application_default_credentials.json. Post-install verification confirmed all files intact. The read accesses observed in inotify and auditd logs for these paths were exclusively from the monitoring framework's own setup and verification passes, not from any skill-attributed process.