ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sigil Nostr — P2P Encrypted Messaging for AI Agents

v0.1.1

Nostr P2P messaging gateway for AI agents. Send and receive E2E encrypted messages via the Nostr protocol. Enables your agent to be reachable from Sigil Mess...

0· 76·0 current·0 all-time
by@lmanchu
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The skill's name/description (Nostr P2P gateway for AI agents) aligns with the included SKILL.md and bridge.js which create keys, talk to relays, and forward messages. It legitimately needs to read/write ~/.sigil and call sigil-cli/cargo for key generation. Minor inconsistency: the runtime references environment variables (SIGIL_RELAY, SIGIL_AGENT, SIGIL_MODE, SIGIL_OWNER) but the registry metadata lists no required env vars.
!
Instruction Scope
The SKILL.md and bridge.js instruct the agent to create persistent key files (~/.sigil/*.key and access.json) and to forward incoming DMs to the agent. However the Node bridge uses execSync to run external CLIs with content derived from incoming messages (hermes chat -q "<message>"). The code only escapes double quotes and invokes a shell; command-substitution/expansion (e.g. $(...), `...`, $VAR) can still be interpreted by the shell, so an attacker-supplied message could cause arbitrary command execution when the bridge is run in hermes mode. The instructions don't mention this injection risk or mitigate it.
Install Mechanism
There is no formal install spec (instruction-only skill). The SKILL.md asks users to run cargo install from a GitHub repo which is a common but non-trivial operation (building and running code fetched from upstream). This is a moderate-risk action because it builds and installs third-party code from a repository; the Node bridge itself does not auto-install extra packages.
Credentials
No credentials are requested in the registry metadata, and the skill does not request unrelated cloud credentials. It does read/write private key material to ~/.sigil (expected for a messaging bridge). The SKILL.md and bridge.js reference several optional env vars (SIGIL_RELAY, SIGIL_AGENT, SIGIL_MODE, SIGIL_OWNER) but these were not declared in the skill metadata — this mismatch should be documented for users who rely on declared requirements.
!
Persistence & Privilege
The bridge creates persistent files in the user's home (~/.sigil/*.key and access.json) which is consistent with its purpose. However, combined with the execSync usage, this creates a higher blast radius: if the agent or bridge autonomously processes incoming messages (the skill is user-invocable and model-invocation is enabled by default), a crafted message could trigger command execution on the host. The skill does not require always:true (good), and it does not modify other skills' configs.
What to consider before installing
This skill appears to do what it says (a Nostr bridge), but exercise caution before installing. Key points: - Do not run the Node bridge in 'hermes' mode unless you trust all senders: the bridge constructs a shell command from incoming messages and only escapes quotes, which allows command substitution/injection. - Prefer the Rust hermes_bridge example (recommended by the author) for production; the Node script is documented as a reference implementation. - The skill will create and store private keys at ~/.sigil/*.key and an access JSON; ensure you understand and protect those files (use passphrase encryption if supported). - The SKILL.md recommends running cargo install from a GitHub repo — verify the repo and review its code before building. - If you want to use this, run it in a restricted environment (container or VM), review/patch the execSync call to avoid shell interpolation (use child_process.execFile or pass args as an array), and ensure a strict whitelist for authorized npubs.
bridge.js:63
Shell command execution detected (child_process).
bridge.js:29
Environment variable access combined with network send.
!
bridge.js:23
File read combined with network send (possible exfiltration).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

Clawdis
latestvk972hy7xagcz0a1qmcycadzbk983vbq3
76downloads
0stars
2versions
Updated 3w ago
v0.1.1
MIT-0
@lmanchu
latest
Download

Sigil Nostr — P2P Encrypted Messaging for AI Agents

Give your AI agent a Nostr identity. Users can message your agent from Sigil Messenger, Damus, Primal, or any Nostr client — all E2E encrypted.

What This Does

  • Creates a persistent Nostr keypair for your agent (~/.sigil/<agent-name>.key)
  • Connects to Nostr relays and listens for NIP-04 encrypted DMs
  • Routes incoming messages to your agent, sends replies back via Nostr
  • Supports TUI components (buttons, cards, tables) for rich responses
  • Personal agent mode: only whitelisted npubs can interact

Quick Start

1. Install Sigil CLI

cargo install --git https://github.com/lmanchu/sigil sigil-cli

2. Start as Agent Bridge

The simplest way — pipe messages between Nostr and your agent:

# Generate agent identity
sigil whoami

# Your agent's npub is shown — users can DM this to reach your agent
# Add your npub to the access whitelist:
# Edit ~/.sigil/<agent>.access.json → add npub to "authorized" array

3. Use from OpenClaw / Hermes

This skill works with both OpenClaw and Hermes agent frameworks.

OpenClaw: Add to your openclaw.json channels config:

{
  "channels": {
    "nostr": {
      "enabled": true,
      "relay": "wss://relay.damus.io",
      "dmPolicy": "personal",
      "allowFrom": ["npub1yourownpubkey..."]
    }
  }
}

Hermes: Install as a skill:

# Copy this skill directory to ~/.hermes/skills/sigil-nostr/
cp -r skills/sigil-nostr ~/.hermes/skills/

Connect from Sigil Client

Once your agent bridge is running, users connect from any of these clients:

iPhone / iPad (Sigil Messenger)

  1. Download Sigil Messenger from the App Store
  2. Tap Add Contact (person+ icon)
  3. Choose Scan QR Code — scan the agent's QR, or
  4. Choose Add Manually — paste the agent's npub
  5. Start chatting — messages are E2E encrypted

Terminal (sigil-cli)

cargo install --git https://github.com/lmanchu/sigil sigil-cli

# Add your agent
sigil add sigil://agent?npub=<AGENT_NPUB>&relay=wss://relay.damus.io&name=MyAgent

# Start chatting
sigil

Mac (Catalyst)

Same app as iOS — build from source with Xcode or install via sigil-cli. Link Mac to iPhone by scanning QR code (Mac shows QR, iPhone scans).

Any Nostr Client (Damus, Primal, Amethyst)

Your agent is a standard Nostr identity. Send a NIP-04 DM to the agent's npub from any Nostr client. TUI components (buttons, cards) only render in Sigil — other clients show raw JSON.

Sharing Your Agent

Every agent gets a shareable QR code and sigil:// URI:

sigil qr  # prints sigil://agent?npub=...&relay=...&name=...

Share this URI or QR — anyone who scans it gets your agent added instantly.

Architecture

User (Sigil/Damus/Primal)
    ↓ NIP-04 Encrypted DM
Nostr Relay (relay.damus.io)
    ↓ WebSocket
Sigil Bridge (this skill)
    ↓ stdin/stdout or HTTP
Your Agent (OpenClaw / Hermes / Custom)

Agent Bridge Script

For standalone use, run the bridge directly:

# Start the Nostr bridge for your agent
cd /path/to/sigil
cargo run --example hermes_bridge

Or use the Node.js bridge for OpenClaw integration:

node skills/sigil-nostr/bridge.js

Security

  • Personal mode (default): only owner + authorized npubs can interact
  • Service mode: open to anyone (like a LINE official account)
  • Rate limiting: 10 messages/minute per sender
  • Event dedup: prevents relay replay attacks
  • Key encryption: sigil encrypt-key for passphrase protection

Configuration

Config file: ~/.sigil/<agent-name>.access.json

{
  "mode": "personal",
  "owner": "npub1...",
  "authorized": ["npub1friend1...", "npub1friend2..."],
  "reject_message": "This is a personal agent. Contact the owner for access."
}

TUI Messages

Your agent can send rich interactive messages:

{"type": "buttons", "text": "What do you need?", "items": [
  {"id": "search", "label": "Search", "style": "primary"},
  {"id": "help", "label": "Help", "style": "secondary"}
]}

Supported types: text, buttons, card, table

When a user taps a button, your agent receives: sigil:callback:<button_id>

Links

Comments

Loading comments...