ClawHub

nostr-dogechat

v1.0.0

Bridge to the DogeChat Nostr geohash chat network.

0· 252·0 current·0 all-time
by@greatape42069
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code's behavior (generating a Nostr secret key, signing events, and publishing to listed relays) is coherent with a Nostr/DogeChat bridge. However there are metadata mismatches: registry metadata claimed no required binaries but _meta.json indicates node is required; SKILL.md refers to USER_CONTEXT for geohash while the implementation reads CLI args; package.json lists some deps that the code uses, but the code requires 'minimist' which is not in package.json. These disparities indicate sloppy packaging but are explainable by developer oversight.
!
Instruction Scope
SKILL.md instructs usage via a geohash from USER_CONTEXT and provides a CLI example, but does not disclose that the skill will create and persist a secret key file under ~/.openclaw/nostr-dogechat/identity.json. The code will generate a secret, store it in plaintext, rotate it on a 24h policy, and publish events to external WebSocket relays. The SKILL.md guardrails mention not sharing private keys but do not disclose local persistent storage or network relay publishing — this is scope creep from the user's perspective and should be called out.
Install Mechanism
This is instruction-only (no platform install spec). A package.json is present (with nostr-tools, ngeohash, @noble/hashes) but no install instructions are provided; the runtime requires node and npm modules to be available but the skill provides no mechanism to ensure they are installed. That mismatch may cause failures or surprises when running.
Credentials
The skill declares no required env credentials, but the code reads HOME and optionally OPENCLAW_AGENT_NAME and writes a plaintext secret (nsec) to ~/.openclaw/nostr-dogechat/identity.json. Generating/storing a signing key is proportional to the purpose (a Nostr identity is needed), but the storage of an unencrypted private key in the user's home directory is a privacy/security concern that was not documented in SKILL.md or registry metadata.
Persistence & Privilege
always:false (normal). The skill persists state by creating ~/.openclaw/nostr-dogechat/identity.json and rotating it after 24 hours, which is expected for an identity manager but does give the skill lasting local presence. It does not modify other skills or system-wide settings.
What to consider before installing
This skill appears to implement a Nostr/DogeChat bridge but has several mismatches and privacy-relevant behavior you should understand before installing: - It will generate a private signing key and store it unencrypted at ~/.openclaw/nostr-dogechat/identity.json (rotated after 24h). If you don't want a plaintext secret stored on your machine, do not install/run it as-is. Consider moving storage to a secure keystore or encrypting the file. - SKILL.md says the geohash comes from USER_CONTEXT, but the code reads CLI args; the packaging is inconsistent and the repo omits an install step. Expect to manually install Node and the npm deps (and note package.json is missing 'minimist'). - The skill will open outbound WebSocket connections to public relays (wss://relay.damus.io, wss://nos.lol, wss://relay.dogechat.org) and publish signed events under the generated identity. If you are concerned about network traffic or linking messages to a persistent identity, do not run it until you review/modify the code. Recommendations: inspect and run the code in an isolated environment (or sandbox/VM), add encryption for the identity file or use a dedicated ephemeral identity, update package.json to declare all deps and provide an install step, and confirm you are comfortable with the relay endpoints before enabling autonomous agent invocation.

Like a lobster shell, security has layers — review code before you run it.

Dogevk972m59zsrqjdp7bet4gtr11vx82abehDogecoinvk972m59zsrqjdp7bet4gtr11vx82abehdogevk972m59zsrqjdp7bet4gtr11vx82abehdogechatvk972m59zsrqjdp7bet4gtr11vx82abehdogecoinvk972m59zsrqjdp7bet4gtr11vx82abehgeohashvk972m59zsrqjdp7bet4gtr11vx82abehlatestvk972m59zsrqjdp7bet4gtr11vx82abehnostrvk972m59zsrqjdp7bet4gtr11vx82abeh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐕 Clawdis

Comments