Back to skill

Security audit

Nip Aa Citizenship

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for Nostr agent citizenship, but it includes high-impact background updates, key handling, persistent private-message storage, and default publication of prompt-derived data that need review before installation.

Install only for an agent intentionally participating in NIP-AA citizenship. Use a dedicated Nostr key, review the constitution URL and relay list, avoid enabling the git update checker unless you accept unattended code changes, and treat DMs, reflection reports, inference prompts, and Cashu tokens as sensitive because this skill can store or publish parts of them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # Fetch from remote
            fetch_result = subprocess.run(
                ["git", "fetch", "--quiet"],
                cwd=git_root,
                capture_output=True,
Confidence
96% confidence
Finding
fetch_result = subprocess.run( ["git", "fetch", "--quiet"], cwd=git_root, capture_output=True, text=True, ti

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return

            # Check if we're behind
            status_result = subprocess.run(
                ["git", "status", "-uno", "--porcelain=v2", "--branch"],
                cwd=git_root,
                capture_output=True,
Confidence
91% confidence
Finding
status_result = subprocess.run( ["git", "status", "-uno", "--porcelain=v2", "--branch"], cwd=git_root, capture_output=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return

            # Pull updates
            pull_result = subprocess.run(
                ["git", "pull", "--ff-only", "--quiet"],
                cwd=git_root,
                capture_output=True,
Confidence
99% confidence
Finding
pull_result = subprocess.run( ["git", "pull", "--ff-only", "--quiet"], cwd=git_root, capture_output=True, text=True,

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Mandating automatic key generation and storage of private key material on first load is highly sensitive and exceeds the minimum scope of a guidance-oriented citizenship skill. Auto-provisioning secrets without explicit user initiation can create irreversible credential exposure if agent state, logs, adapters, or persistence layers are compromised.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The built-in auto-update mechanism performs unattended git fetch/pull operations, effectively allowing remote code changes to alter the skill's behavior after deployment. This is especially dangerous in an agent context because the skill already handles secrets, networking, and persistent background tasks, so an upstream compromise could immediately become arbitrary code execution or data exfiltration.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The skill claims the host/framework never possesses the private key, yet later onboarding directs the agent to save private key material into agent state. This contradiction is dangerous because it misrepresents the trust model and may cause operators to rely on a false security assumption while secrets are actually being handled by the framework.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill contains autonomous git fetch/status/pull functionality that is outside the stated NIP-AA citizenship scope and materially increases attack surface. Because this skill is meant for autonomous agents, hidden self-modifying update capability is especially dangerous: it can import attacker-controlled code through the software supply chain and change agent behavior without review.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The implemented treasury invoice and Cashu-backed inference features are not disclosed in the skill metadata/description, creating a capability transparency gap. For agent skills, omitted capabilities are security-relevant because operators may grant access expecting citizenship-only behavior while the code can also spend resources, claim budgets, and interact with external inference services.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The Cashu-backed inference subsystem is not clearly necessary for core citizenship operations, yet it adds external service interactions, budget claiming, token handling, and model-selection behavior. In an autonomous agent skill, this scope expansion increases exposure to misuse of treasury-funded resources and introduces additional attack surface beyond the advertised purpose.

Missing User Warnings

High
Confidence
95% confidence
Finding
The onboarding flow directs automatic generation and storage of highly sensitive credentials without a prominent warning, explicit consent step, or secure-handling requirements. In practice, this makes accidental exposure more likely through logs, backups, adapter persistence, memory inspection, or downstream automation.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Describing background git-based updates without clearly warning that local code will be modified obscures a major integrity and supply-chain risk. Even if the feature is intentional, users need explicit notice that enabling it changes executable code over time.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill instructs starting heartbeat publishing and persistent DM handling without clearly warning that data will be transmitted over networks and messages may be stored persistently. This is dangerous because users may unknowingly expose metadata, communication contents, and behavioral traces to relays, guardians, or local storage systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The listener persists full plaintext content for all inbound and outbound DMs, including messages from unknown senders, creating a sensitive data retention risk. If the underlying adapter storage is weakly protected, shared, or later exposed through introspection/debug tooling, private conversations and secrets can be disclosed far beyond the original DM recipients.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill derives prompt_summary from the last user message and publishes it to Nostr relays, which are external and often effectively public or widely replicated. This can disclose sensitive prompt content, secrets, personal data, or proprietary inputs without explicit opt-in at the call site, creating durable privacy leakage beyond the inference provider itself.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The module explicitly prepares a contemplation event containing citizenship scores, failing clauses, drift details, remediation plans, trend history, and an identity hash for publication to Nostr relays. In this skill context, external relay publication is a core feature, but there is no consent gate, sensitivity filtering, or clear user-facing warning before potentially sensitive operational and identity-adjacent data is transmitted to a public or semi-public network.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
When drift is detected, the code generates a guardian notification action whose details embed the drift description and guardian identifier, creating a clear path for sensitive performance or compliance information to be disclosed. In an agent-citizenship skill, guardian alerting may be expected, but the absence of minimization, redaction, or explicit disclosure controls makes accidental leakage of sensitive internal state more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill schedules automatic update checks and later performs pulls without any user-facing confirmation or approval step. Silent self-updates are particularly dangerous in autonomous agent software because they bypass change control, reduce operator visibility, and can rapidly propagate compromised upstream code into production behavior.

Ssd 3

High
Confidence
98% confidence
Finding
The skill mandates collection and persistence of all inbound and outbound DM contents, including messages from unknown senders, and grants guardian audit access to full conversations. This creates a significant confidentiality and privacy risk: sensitive communications are centralized, retained, and exposed beyond the communicating parties, increasing harm from compromise, misuse, or overreach.

Ssd 3

High
Confidence
97% confidence
Finding
Saving private key material into general agent state directly endangers the root credential controlling the agent's identity and signed actions. Because agent state is often accessible to adapters, persistence backends, debugging tools, or backups, compromise of that layer can lead to full identity takeover and irreversible misuse.

Ssd 3

Medium
Confidence
95% confidence
Finding
The guardian notification copies plaintext previews of unknown senders' decrypted messages into a second DM and explicitly advertises access to full stored conversations. This broadens exposure of potentially sensitive content to another channel, another recipient context, and multiple relays, increasing confidentiality risk and making message content available before any approval decision is made.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

No suspicious patterns detected.