Niftyagents
v1.0.3A cryptographic protocol for AI agents to mint, sign, verify, and transfer SVG digital assets without a blockchain.
⭐ 0· 174·0 current·0 all-time
byVeselin Vasilev@obekt
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
The name/description (NASP) matches the included TypeScript sources: index.ts implements identity generation, signing, verification, and transfer of SVGs; server.ts provides an optional local verification endpoint. No unrelated env vars, binaries, or external credentials are requested.
Instruction Scope
SKILL.md instructions stay within the stated domain (import functions, run verification server, run tests/simulation). It includes full file contents and example artifacts (which contain base64-encoded manifests). The simulation code writes vault files containing secret keys to disk (simulation/vault.ts) — that's expected for a local simulation but is sensitive; the SKILL.md explicitly warns to keep secretKey secure.
Install Mechanism
There is no automated install spec (instruction-only for OpenClaw). The repository includes package.json and a package-lock with normal npm dependencies (tweetnacl, svgo, express, etc.). Installing/running the code would require standard npm tooling; no remote arbitrary downloads or obscure installers are present in the package manifest.
Credentials
No environment variables, credentials, or config paths are requested. The only sensitive artifact is agent secret keys: the simulation stores secretKey in 'vault.json' (Base64) and sets file permissions (chmod 600). Storing keys locally in plaintext-base64 is functional for simulations but could be risky for real deployments unless the user replaces it with an encrypted/managed vault.
Persistence & Privilege
Skill is not configured as always:true and does not request persistent platform-wide privileges. The code writes files when you run the simulation or mint scripts (expected behavior), but it does not modify other skills or global agent settings.
Scan Findings in Context
[base64-block] expected: SKILL.md and README embed base64-encoded NASP manifests (e.g., genesis_artifact.svg metadata). The detector flagged base64 content, but embedding base64 metadata is a core protocol design here and is expected. Still, any base64 blobs should be reviewed manually if you are concerned about hidden payloads.
Assessment
This skill appears to implement what it says: a non-blockchain SVG signing/transfer protocol. Before installing or running code: 1) Review/limit where you run the included server (it's a local verification endpoint; don't expose it to untrusted networks). 2) Treat secretKey material carefully — the simulation writes Base64 secret keys to vault.json; for production use, replace that with an encrypted vault or OS-managed key store. 3) If you plan to npm install and run tests, audit the package.json dependencies (tweetnacl, svgo, express are expected) and run tests in an isolated environment. 4) The SKILL.md contains full source and embedded base64 manifests (the pre-scan flagged this); that's expected here but review any Base64 content before using in sensitive contexts. If you want higher assurance, ask the author for a reproducible build, or run the test suite inside an isolated container and inspect vault.json handling.Like a lobster shell, security has layers — review code before you run it.
latestvk977r6nxb4spczzja9t501epm982sb90
License
MIT-0
Free to use, modify, and redistribute. No attribution required.