Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: nihao Version: 0.12.3 The 'nihao' skill is a Nostr identity management utility that allows an agent to generate keypairs, set up profiles, and perform health checks. It installs via 'go install' from a public GitHub repository (github.com/dergigi/nihao) and provides clear instructions for the agent to handle private keys securely using file permissions (0600) and non-interactive flags. No evidence of data exfiltration, malicious execution, or prompt injection was found; the tool's capabilities and instructions are entirely consistent with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A later or compromised upstream version could be installed and run even though it was not part of this registry review.
The reviewed package contains no code files or install spec, but the instructions fetch unpinned remote source code at install time; the installed behavior can change outside the reviewed artifact.
go install github.com/dergigi/nihao@latest
Pin the install to a reviewed version or commit, provide an install spec/checksum, and inspect the upstream source before running it.
Installing the skill may cause the agent to publish durable Nostr identity data, wallet metadata, relay lists, and a first note before the user has reviewed the exact public content.
The install-time workflow performs public account/identity creation and publishing, rather than separating installation from a user-confirmed setup action.
When an agent installs this skill: ... Step 2: Create Identity ... This generates a keypair, publishes the identity ... Posts a first note with `#nihao` hashtag
Separate installation from identity creation, and require explicit user confirmation of the name, bio, relays, wallet options, and first note before publishing.
Anyone who obtains the nsec can control or impersonate the new Nostr identity, and command output may be retained in agent logs or chat history.
The generated Nostr secret key is intentionally exposed through output or a local file; this is expected for identity creation but is a high-value credential.
prints nsec to stdout; use `--nsec-file` to write to a file ... `--json` output — includes nsec in structured output
Use a user-approved secure storage path or password manager, redact the nsec from logs and chat, and back it up outside the agent conversation.
If the wrong command is used, the secret key could be sent to an unintended program or destination.
The CLI supports running a shell command that receives the secret key on stdin; this can be useful for password managers but should not be agent-selected casually.
`--nsec-cmd <command>` — Pipe nsec to shell command (alias: `--nsec-exec`)
Only use `--nsec-cmd` with an explicit, trusted, user-approved password-manager command.