Back to skill

Security audit

Sigil Nostr — P2P Encrypted Messaging for AI Agents

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Nostr agent messaging bridge, but it needs Review because it stores a long-lived messaging key and includes under-scoped paths for forwarding remote messages to agents and tools.

Install only after reading the bridge behavior carefully. Keep personal mode and allowlists enabled, protect ~/.sigil key files with strict local permissions, avoid public sharing unless intended, and avoid the Hermes mode until message routing uses safe argument-array execution and a narrower capability set. Treat gateway mode as sharing decrypted conversations and sender metadata with the configured gateway service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
In Hermes mode, untrusted incoming message content is passed to `hermes chat` with the capability set `clarify,delegation,browser`, which exposes powers beyond a Nostr messaging bridge. This expands the attack surface from message forwarding to potential prompt-driven browsing or delegated actions, enabling remote users to induce unintended side effects through the agent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to create a persistent Nostr keypair under the home directory without a prominent warning that this file contains highly sensitive private key material. If stored insecurely or with weak permissions, compromise of that key allows impersonation of the agent, decryption or interception implications depending on usage, and persistent unauthorized access to the agent's messaging identity.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The bridge forwards message bodies and sender identifiers to an HTTP gateway, potentially exposing sensitive communications and metadata to another service without any explicit consent or visibility at the point of transfer. In a messaging context, this can violate privacy expectations and broaden the trust boundary, especially if the gateway is remote, misconfigured, or logs requests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script persists a private key in a predictable location under the user's home directory without setting restrictive file permissions or warning about the sensitivity of the credential. If the host is multi-user, backed up insecurely, or otherwise exposed, compromise of this key would let an attacker impersonate the agent and decrypt or send messages as it.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bridge.js:63

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
bridge.js:29