ClawHub

Stegstr

v1.0.1

Decode and embed Stegstr payloads in PNG images. Use when the user needs to extract hidden Nostr data from a Stegstr image, encode a payload into a cover PNG, or work with steganographic social networking (Nostr-in-images). Supports CLI (stegstr-cli decode, detect, embed, post) for scripts and AI agents.

1· 1.3k·0 current·0 all-time
by@brunkstr
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (PNG steganography for Nostr) align with the SKILL.md and included files: instructions show cloning the Stegstr GitHub repo and building a CLI that performs decode/detect/embed/post. There are no unrelated environment variables, credentials, or binaries requested.
Instruction Scope
Runtime instructions are narrowly scoped to cloning, building, and running the stegstr-cli tool and describe only image payload operations. The SKILL.md does reference external docs and links (stegstr.com, GitHub), but it does not instruct the agent to exfiltrate arbitrary system data. Note: the CLI offers an option to supply a private key (--privkey-hex); handling private keys is sensitive and is a user decision (not automatically required by the skill).
Install Mechanism
No platform install spec; instructions and the included install.sh perform a git clone from GitHub (github.com/brunkstr/Stegstr) and a local cargo build. Using GitHub and building from source is expected for this kind of CLI. Building and executing a compiled binary is normal but carries the usual risk of running software built from source—recommended to review/trust the repo before building.
Credentials
The skill declares no required environment variables or credentials. The included install.sh allows optional override of the repo URL via STEGSTR_REPO_URL (a convenience for advanced users) — this could be abused if a user intentionally points it at an untrusted repo, but it is not required. The CLI supports passing a private key on the command line (sensitive) — the skill does not demand secrets itself.
Persistence & Privilege
The skill is not always-enabled, does not request elevated system-wide privileges, and only needs normal filesystem access to clone/build/install to user-local directories (default ~/.local). install.sh creates user-local files and a symlink in ~/.local/bin; this is expected and proportionate.
Assessment
This skill is internally consistent with its stated purpose, but follow these precautions before installing or running it: 1) Verify the GitHub repo (https://github.com/brunkstr/Stegstr) and the project source before building; 2) Don't set STEGSTR_REPO_URL to an untrusted location—only override the repo if you trust the target; 3) Be careful with private keys: do not paste secret keys into command lines or public shells unless you understand the risk; prefer using ephemeral/sandboxed environments when building and testing unknown binaries; 4) If you need to run this in a high-security environment, review the source code (or run the build in an isolated container) before executing the produced binary.

Like a lobster shell, security has layers — review code before you run it.

latestvk97fkmtjft84g9wg8fnr32achd80pzfk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments