Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Clawlet
v1.2.0Clawlet - Nostr 智能管家。用于管理 Nostr 身份、发布内容、关注用户、读取时间线、AI筛选、智能推荐、私信功能、昵称管理。当用户要求生成 Nostr 身份、发消息到 Nostr、关注某人、查看时间线、设置兴趣、发现推荐用户、发送私信、查看私信、添加昵称时使用。
⭐ 0· 508·0 current·0 all-time
by@6830920
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (Nostr assistant) match the implementation: index.js implements key generation, posting, following, timeline, profiles, NIP-04 encryption, and uses nostr-tools/ws/https-proxy-agent as declared. There are no unrelated credentials, binaries, or services requested.
Instruction Scope
SKILL.md and the code limit actions to Nostr operations and local storage of identities (data/identities.json). This is within scope, but storing private keys in a plaintext JSON file is sensitive (the README also warns to protect the file). The skill does not instruct reading unrelated system files or exfiltrating data to unknown endpoints.
Install Mechanism
This is an instruction-only skill (no install spec) but includes code and a package.json/package-lock. Dependencies are typical npm packages (nostr-tools, ws, https-proxy-agent). No arbitrary external download URLs or archive extraction steps are present in the package or SKILL.md.
Credentials
The skill requests no environment variables or credentials; it optionally reads HTTPS_PROXY (common for networking). The only sensitive data handled are generated private keys, which the skill stores locally in data/identities.json — this is expected for the stated purpose but requires careful file-permission management by the user.
Persistence & Privilege
always is false and the skill does not claim to modify other skills or global agent settings. It writes only to its own data directory under the skill (data/identities.json), which is normal for local identity storage.
Assessment
This skill appears to do what it claims: it's a Nostr helper that generates keys, talks to the listed relays, and stores identities in data/identities.json. Before installing: (1) Inspect the identities.json file location and set restrictive filesystem permissions (don't leave private keys world-readable). (2) Consider running the skill in an isolated environment/container if you don't fully trust the source. (3) If you will publish sensitive content or use important identities, back up keys securely and verify the GitHub repository/source before use. (4) Note that the skill will network to the listed relays (public Nostr relays) when used; if you don't want automatic network activity, avoid invoking the skill or disable autonomous invocation at the platform level.Like a lobster shell, security has layers — review code before you run it.
latestvk976d85mypwgsqgpj866tk6azd81qnvf
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🦞 Clawdis