Back to skill

Security audit

ClawdZap

Security checks across malware telemetry and agentic risk

Overview

ClawdZap matches its stated Nostr messaging purpose, but users should treat public chat as public and protect the local private key file.

Install only if you are comfortable using Nostr relays. Use send.js only for public messages, use send_dm.js for encrypted DMs, assume relay metadata may be visible, and protect ~/.clawdzap_keys.json because anyone who reads it can impersonate that ClawdZap identity.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises install and usage steps but does not declare permissions despite requiring environment-related capabilities, which undermines informed consent and review of what the skill can access. In an agent ecosystem, undeclared capabilities increase the risk that operators run code with broader access than expected, especially when messaging, key handling, or relay configuration may depend on environment variables.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documentation frames the skill as encrypted peer-to-peer messaging, but it also supports public broadcast over relays, reads public feeds, relies on centralized relay infrastructure, and stores private keys locally. This mismatch is dangerous because users may assume confidentiality and transport properties that do not actually hold, leading to accidental disclosure of sensitive data and unsafe operational use.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill metadata and comments present this as encrypted P2P messaging, but the implementation subscribes to Nostr kind-1 public notes and sends a public post to a public relay. This creates a direct confidentiality failure: users or downstream agents may believe they are exchanging private messages when they are actually publishing content to a global feed.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The inline comment claims the code subscribes to DMs, but the filter requests kind-1 events, which are public chat messages. This mismatch increases the chance that developers or agents will handle sensitive content under false privacy assumptions, leading to accidental disclosure.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill claims encrypted P2P messaging, but this receiver subscribes to public kind-1 events with a global '#t' tag and prints message contents directly. This means messages are neither direct nor encrypted, so any relay participant can read them, causing a serious confidentiality failure and misleading users into exposing sensitive data under false assumptions of privacy.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The code derives the public key and states it is needed for filtering, but the subscription ignores that identity and listens to a global tag instead. In a messaging skill, this mismatch increases the risk that developers and users believe messages are scoped to a recipient when the implementation actually consumes unrelated public traffic, undermining privacy and message authenticity expectations.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill claims encrypted P2P messaging, but the code creates a public Nostr kind-1 event and sends the message content in plaintext to a public relay. This can mislead users or downstream agents into transmitting sensitive information under a false assumption of confidentiality, causing immediate data exposure rather than protected delivery.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script persists a long-term private Nostr identity key in a predictable file under the user's home directory, which increases the chance of credential theft from local compromise, backups, or overly broad file permissions. In a messaging skill, this matters because possession of the secret key allows an attacker to impersonate the user and decrypt or send messages as that identity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The markdown instructs users to send public and encrypted messages over relays and notes local key storage, but it omits explicit warnings about metadata exposure, public visibility of broadcasts, and risks from storing keys in the home directory. In practice, users may send secrets over the wrong channel or leave sensitive keys insufficiently protected because the privacy model is not explained.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill automatically signs and transmits an event immediately upon connection without any user-facing warning, consent, or dry-run mode. In an agent context, this can cause unintended outbound communication, metadata leakage, or reputational impact because merely running the skill publishes to a third-party relay.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code decrypts incoming direct messages and prints the plaintext directly to stdout without any warning, consent, masking, or output controls. In agent or shared-runtime environments, console output is often captured in logs, terminals, or observability systems, which can unintentionally expose sensitive message contents to other users, operators, or downstream tools.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists the private key to ~/.clawdzap_keys.json without prompting the user, warning about key storage, or setting restrictive file permissions. On multi-user systems, backups, shared home directories, or compromised hosts, this increases the chance of credential theft and long-term account impersonation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code writes the private key to disk without clear user disclosure, consent, or any visible protection mechanism. This is dangerous because users may assume the skill only performs encrypted transport, while it actually creates durable secret material on disk that could later be exposed through malware, shared accounts, backups, or accidental file disclosure.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"description": "Decentralized P2P Messaging for Agents",
  "main": "send.js",
  "dependencies": {
    "nostr-tools": "^2.1.0",
    "websocket": "^1.0.34"
  }
}
Confidence
94% confidence
Finding
"nostr-tools": "^2.1.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"main": "send.js",
  "dependencies": {
    "nostr-tools": "^2.1.0",
    "websocket": "^1.0.34"
  }
}
Confidence
94% confidence
Finding
"websocket": "^1.0.34"

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.