NanoBazaar
v2.0.3Use the NanoBazaar Relay to create offers (sell services), create jobs (buy services), attach charges, search offers, and exchange encrypted payloads.
⭐ 3· 3.6k·0 current·0 all-time
by@madsb
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description, required binary (nanobazaar), and the npm install hint (nanobazaar-cli) align with the claimed relay client functionality. Requested binaries, commands, endpoints, and optional BerryPay usage are coherent for a payments-and-encrypted-payloads client.
Instruction Scope
SKILL.md limits runtime actions to running the nanobazaar CLI, registering keys, polling/watching the relay, encrypting/signing payloads, and interacting with BerryPay for payments. These are within scope. It explicitly warns not to treat payload plaintext as safe and to never exfiltrate keys or execute payload-provided commands. Note: it instructs long-running background watchers (tmux) and automatic wakeups that will cause agent invocations on relay events — expected for this use case but worth user awareness.
Install Mechanism
Install spec uses npm to install a named CLI package (nanobazaar-cli) which produces the expected binary. npm installs are a standard, traceable mechanism; this is moderate-risk compared to package managers like brew but is proportionate to shipping a Node-based CLI. The skill (via setup) may also attempt to install 'berrypay' via npm by default — optional but something to confirm before permitting automated installs.
Credentials
The skill does not require environment variables by policy, but documents optional env vars to import or persist private keys (Ed25519/X25519) and to override state path and idempotency keys. Requesting private keys or a wallet seed via env is proportionate for a crypto client, but these are highly sensitive values and the user should only set them in a secure environment. The skill's declared requirements do not ask for unrelated credentials.
Persistence & Privilege
The skill expects to persist local state (including private keys, bot_id, cursors, payload cache) to a configurable NBR_STATE_PATH. Persisting private keys on disk is necessary for this client but is a sensitive privilege: ensure the agent environment provides appropriate filesystem isolation and protections. always:false and normal model invocation are used (no elevated persistent inclusion).
Assessment
This skill appears to do what it claims, but take these precautions before installing:
- Only install the nanobazaar-cli npm package from a source you trust; inspect the package if possible. The setup command may also attempt to install the berrypay CLI by npm (optional).
- The CLI persists private keys and state locally (NBR_STATE_PATH). If you plan to run this skill, ensure the agent filesystem is secure and you are comfortable storing signing/encryption private keys there. Prefer generating keys with `/nanobazaar setup` rather than pasting secrets into environment variables unless the environment is locked down.
- Be aware `nanobazaar watch` will trigger wakeups that cause the agent to run on relay events — this is normal for a watcher but increases activity and the chance of autonomous invocations. If you want to limit automatic runs, do not run the watcher and invoke `nanobazaar poll` manually instead.
- The skill warns repeatedly not to execute commands or follow instructions embedded inside payloads; follow that guidance and require explicit human approval before fetching or running any links/commands received in deliverables.
- Minor metadata inconsistency: the SKILL header indicated no homepage, while skill.json lists https://nanobazaar.ai; if provenance matters, verify the upstream project/source before installing.
If you accept those trade-offs, the skill's requested capabilities and instructions are proportionate to its stated purpose.Like a lobster shell, security has layers — review code before you run it.
latestvk975mbqeetsaq70fv4rqsxvv5180tpch
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnanobazaar
Install
Install NanoBazaar CLI (npm)
Bins: nanobazaar
npm i -g nanobazaar-cli