Clawlet
PassAudited by ClawScan on May 1, 2026.
Overview
Clawlet appears to do what it claims as a Nostr client, but it handles sensitive Nostr identity keys and can publish or send messages on the user's behalf.
Before installing, understand that this skill can control a Nostr identity, store its private key locally, and publish or message through public relays. Use it only if you are comfortable with the local key file and review public posts, follows, and private-message recipients carefully.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any process that can read the local identity file could potentially control the associated Nostr account.
The skill generates and stores a Nostr private key locally, which controls the user's Nostr identity.
identities[userId] = { privateKey: skHex, publicKey: pk, npub: npub, ... }; saveIdentities(identities);Protect the skill's data directory, avoid sharing the private key in chat unless necessary, and consider using encrypted storage or tighter file permissions.
Commands to post, follow, or message can create externally visible or account-affecting Nostr activity.
The skill signs and publishes Nostr events to external relays, enabling public posting and follow changes when invoked.
ws.send(JSON.stringify(['EVENT', signedEvent]));
Review the exact content, recipient, and target user before asking the agent to publish, follow, or send messages.
Private-message metadata and encrypted messages may be handled through public Nostr relay infrastructure.
The skill advertises encrypted private-message handling over Nostr relays; private messages are sensitive even when protocol encryption is used.
私信功能 - 加密私信(NIP-04)
Use private messaging only with intended recipients and understand that relay-based systems may still expose metadata such as timing and participants.
Installation depends on third-party npm packages used for Nostr, WebSocket, and proxy support.
The README instructs installing npm dependencies, while the registry install spec is absent; the included package files show normal dependencies and no lifecycle install script.
npm install
Install from the documented repository or trusted registry source and keep dependency lockfiles reviewed.