Cifer SDK
v0.3.0Enable quantum-resistant encryption and secret management for blockchain apps with post-quantum ML-KEM-768 key encapsulation and multi-chain support.
⭐ 0· 1.3k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md describes a coherent SDK for post-quantum encryption on blockchain (CIFER) and the examples and API surface align with that purpose. However the package has no description/homepage in the registry metadata and the skill bundle includes no code or install policy (it is instruction-only), so trust depends on the external npm package and service.
Instruction Scope
The instructions include concrete code examples that reference external services (blackbox.cifer.network), wallet integrations, and use of process.env.PRIVATE_KEY for server-side signing. The skill does not instruct the agent to read unrelated host files, but it does instruct developers/operators to place private keys in environment variables and to send payloads to an external 'blackbox' endpoint — actions that carry sensitive-data transfer risks and require explicit trust and provenance of the external service.
Install Mechanism
No install spec is bundled with the skill (instruction-only). The README suggests installing an npm package (npm/yarn/pnpm). That is a normal, low-risk pattern for an SDK — risk shifts to the external npm package and its source repository, which are not included here.
Credentials
The SKILL.md examples use a PRIVATE_KEY env var for server-side private-key signer, but the skill metadata declares no required environment variables. Recommending or expecting a PRIVATE_KEY is reasonable for an SDK, but the lack of declared env requirements is a mismatch. Additionally, use of an external 'blackbox' service implies the agent or application will transmit encrypted data and metadata off-host — this is proportionate to the SDK's purpose but requires explicit trust in that service and caution with secrets.
Persistence & Privilege
The skill does not request permanent presence (always:false) and is user-invocable only. It does not attempt to modify other skills or system-wide settings. Autonomous invocation is allowed (default) but not combined with other high-risk flags.
What to consider before installing
This skill appears to document a legitimate post-quantum encryption SDK, but it is instruction-only and references sending data to an external 'blackbox.cifer.network' service and using PRIVATE_KEY environment variables. Before installing or using it: 1) Verify the npm package (cifer-sdk) on the registry — check package maintainers, repository URL, recent publish history, and source code. 2) Do not expose your real private keys to unverified code or services; prefer hardware wallets or ephemeral keys and avoid putting long-term private keys in environment variables the agent could access. 3) Audit or review the SDK source code (and any blackbox service docs or repo) to confirm what data is transmitted to the external service and whether keys or plaintext could be exfiltrated. 4) If you must test, use a restricted test account and network, and run the package in an isolated environment. 5) Ask the skill author for homepage/repo and a declared list of required env vars (the SKILL.md references PRIVATE_KEY but the skill metadata doesn't declare it). Providing any of those (repo URL, contact, or package audit) would increase confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk973sae4atxhc4rete0wv93wjn80j21a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.