Archon Nostr
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone who obtains the mnemonic or nsec can impersonate or control the associated identity; the nsec may also be exposed in terminal history, logs, or chat transcripts if copied carelessly.
The script retrieves the full Archon wallet mnemonic and prints the derived Nostr secret key. That is sensitive identity material and broader authority than a public DID lookup.
MNEMONIC=$(npx @didcid/keymaster show-mnemonic 2>/dev/null) ... console.log('nsec:', nsec);Run only in a trusted local environment, avoid pasting the nsec into chats or logs, and ensure the skill metadata clearly declares the passphrase/mnemonic/private-key handling.
A compromised package version, dependency, or tampered local /tmp dependency directory could run code in the same environment used for wallet-derived secret handling.
The script installs unpinned npm packages at runtime into a predictable /tmp directory and then uses them in the key-derivation flow. This creates avoidable supply-chain and local-tampering risk around wallet secrets.
DEPS_DIR="/tmp/archon-nostr-deps" ... npm install --silent bip39 @scure/bip32 secp256k1 bech32
Use pinned dependency versions with a lockfile or vendored reviewed code, install into a user-private directory, and disclose the dependency installation in the install spec.
If run with the wrong values, the user may publish incorrect public profile data or attach the wrong Nostr identity to the DID.
The documented commands can update a DID document and publish a Nostr profile using the derived secret. They are purpose-aligned and shown as manual commands, but they are still account/public-identity mutations.
npx @didcid/keymaster set-property YourIdName nostr ... nak event --sec $(cat ~/.clawstr/secret.key) wss://relay.ditto.pub ...
Review the npub/pubkey/profile content and relay list before running these commands, and require explicit confirmation before any agent-assisted posting or DID update.