Skill
v0.12.3Nostr identity setup and health-check CLI. Creates a complete Nostr identity (keypair, profile, relay list, lightning address, Cashu wallet) in one command....
⭐ 1· 655·0 current·0 all-time
by@dergigi
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description align with the declared capabilities (keypair generation, publishing Nostr events, relay probes, LNURL/Cashu interactions). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md instructs the agent to fetch and locally compile the nihao Go tool and to run it to generate/publish identities and perform health checks. The instructions explicitly surface secret handling: by default nsec may be printed to stdout (or can be written to a file or piped to a command). This is expected for an identity CLI but means the agent must avoid exposing stdout to untrusted logs and must use --nsec-file/--nsec-cmd or stdin to protect secrets.
Install Mechanism
No prebuilt binaries; install uses 'go install github.com/dergigi/nihao@latest' which fetches source from GitHub and compiles locally. This is a common pattern but still executes third-party code (and its dependencies) on the host—moderate trust required. No arbitrary archive downloads or personal servers are used.
Credentials
The skill requests no environment variables or external credentials. Its options for persisting secrets (file or piping to a command) are appropriate for the purpose; however those mechanisms can be misused to expose secrets if the operator is careless.
Persistence & Privilege
always:false and default invocation privileges are appropriate. The skill does not request persistent system-wide configuration or cross-skill access. It will write a secret file only if the installer/agent uses the --nsec-file flag.
Assessment
This skill appears to do what it says (build a Nostr CLI and create/check identities). Things to consider before installing: 1) go install pulls and builds upstream source—review or pin the GitHub repo/commit if you require stronger supply-chain guarantees; 2) by default the tool may emit the secret key (nsec) to stdout/JSON — ensure agent logs do not leak stdout, or use --nsec-file (0600) or --nsec-cmd to store the secret in a secure local password store; 3) avoid passing secrets on the command line (the SKILL.md also warns about this); 4) run the build/install in a controlled environment if you don't trust the remote code; and 5) if you need higher assurance, audit the repository code and its dependencies before compiling.Like a lobster shell, security has layers — review code before you run it.
latestvk97709f7sxaqmbsrt05zwqmpv58290wr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.