Nostr Army Knife (nak)
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: nak Version: 0.1.0 The skill bundle describes the 'nak' CLI, a powerful tool for interacting with the Nostr network. While the documentation (`SKILL.md`) does not contain explicit malicious instructions or code, it details capabilities that are highly sensitive and present a significant attack surface for prompt injection. Specifically, the tool handles cryptographic secret keys (`--sec` flag, `nak key generate`, `nak decode nsec1...`), performs financial transactions (`nak wallet pay`), and allows file uploads to arbitrary servers (`nak blossom upload`). The `SKILL.md` also explicitly mentions the `NOSTR_SECRET_KEY` environment variable, which the `nak` CLI will use, making it a prime target for an attacker to instruct an AI agent to extract or misuse. These capabilities, while legitimate for the tool's purpose, pose a high risk of unauthorized data exfiltration or financial loss if the agent is compromised via prompt injection.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with your key, the agent could make public posts, upload selected files, or initiate wallet payments when asked to run these commands.
The skill documents CLI commands that can publish public content, pay a Lightning invoice, and upload a local file. These are purpose-aligned for nak, but they are state-changing actions.
nak event -c "Hello Nostr" ...; nak wallet pay --sec <nsec> lnbc1...; nak blossom upload --server https://cdn.example.com --sec <nsec> ./image.png
Treat publish, upload, and wallet commands as approval-required actions; verify the relay/server, file path, invoice, and content before execution.
A secret key can let commands sign as you on Nostr and may authorize wallet operations tied to that key.
The skill expects access to a Nostr secret key for signing and related wallet actions. That is central to the purpose, but it grants authority over the user's Nostr identity and is not declared in the metadata credential fields.
`NOSTR_SECRET_KEY`: Set this to avoid passing `--sec` every time.
Use a dedicated or limited key where possible, avoid exposing long-lived secret keys broadly in the environment, and only provide keys for commands you explicitly approve.
Security depends on the nak binary already present on the system or installed separately by the user.
The skill relies on an external CLI, but the provided artifacts include no install spec or reviewed binary source. The registry metadata also lists no required binaries.
compatibility: Requires `nak` CLI (v0.15.3+ recommended).
Install nak only from a trusted source, verify the version, and be cautious if a local nak binary comes from an unknown path or package.
If MCP mode is enabled, another MCP client or agent may be able to access nak capabilities depending on how it is connected and configured.
The optional MCP mode exposes nak as a tool source for agent integration, but the artifact does not describe identity, access control, or data boundaries for that server.
`nak` has an `mcp` command that starts a Model Context Protocol server. ... nak mcp
Only run MCP mode for trusted local clients, avoid loading broad secret-key environment variables into that session, and stop the server when it is no longer needed.