Back to skill
Skillv1.0.0
ClawScan security
Catallax · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 1:58 PM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's instructions match the Catallax/Nostr protocol, but they instruct signing/publishing commands that require the user's private key (nsec) without declaring any required credential or safe key-handling—this creates a risk of secret exposure and a mismatch between claimed requirements and runtime instructions.
- Guidance
- This skill appears to implement the Catallax/Nostr workflow correctly, but it assumes access to your Nostr signing key (nsec) and shows examples of passing it inline to the nak CLI. Before installing or using: (1) don't paste your nsec into chat or into commands that will be stored in shell history—use a secure keyring, hardware signer, or nak's secure key management; (2) expect the skill to publish signed events to public relays—review every proposed publish before it runs; (3) ask the skill author how keys are obtained/stored (the skill metadata should declare required credentials but doesn't); and (4) if you only want read-only behavior, restrict the agent to queries and avoid providing signing material. If the author can document safe key-handling (explicit required credential and secure signing flow), this would reduce the main risk.
Review Dimensions
- Purpose & Capability
- noteThe name/description (Catallax on Nostr) align with the SKILL.md: it describes browsing tasks, creating proposals, discovering arbiters, submitting deliveries and concluding tasks. Requiring access to Nostr relays and the nak client is coherent with the purpose. However, the SKILL.md expects the agent/user to supply a signing secret (nsec) for publishing events but the skill metadata declares no required credentials or primaryEnv—this is an inconsistency.
- Instruction Scope
- concernRuntime instructions include concrete shell commands using nak and explicitly show passing --sec "<nsec>" (the user's private key) inline when publishing events. There is no guidance to use secure key storage, nor does the SKILL.md declare where the agent should obtain or store the nsec. Passing secrets on the command line risks exposure (shell history, process list) and the instructions give the agent discretion to publish signed events to multiple external relays, which could be abused if signing keys are mishandled.
- Install Mechanism
- okNo install spec and no code files — the skill is instruction-only, which minimizes installation risk. It relies on external tools (nak) being present but does not attempt to download or execute arbitrary installers.
- Credentials
- concernThe SKILL.md effectively requires access to a Nostr private key (nsec) to perform publishes, but requires.env and primary credential are empty. That mismatch is concerning: a signing secret is a high-value credential and should be explicitly declared and handled with guidance for secure use (e.g., keyring, hardware signer, agent-hosted secure vault). The instructions also recommend publishing to several relays (external endpoints), which is expected for this protocol but increases the blast radius if a key is exposed.
- Persistence & Privilege
- okNo elevated persistence (always:false). The skill does not request or attempt to modify other skills or system-wide configs. Autonomous invocation is allowed by platform default but is not combined here with 'always' or other broad privileges.