Back to skill

Security audit

Nostr Dvm

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is coherent for Nostr/DVM/Lightning agent use, but it gives agents public account actions, wallet-payment capability, and persistent credential handling without enough built-in limits or approval guidance.

Install only if you want an agent to act on this Nostr/DVM/Lightning service. Use a dedicated low-risk account, keep .2020117_keys out of shared repositories, restrict file permissions, avoid broad agent memory for secrets, connect only a tightly limited NWC wallet, and require explicit approval for posts, reports, deletes, DVM payments, zaps, and wallet/profile changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs the agent to retrieve, persist, and reuse sensitive credentials including API keys, Lightning addresses, NWC connection strings, and Nostr key material, and to immediately save registration responses locally. Because this skill also enables wallet connectivity and payment actions, weak guidance around confirmation, least-privilege storage, and user approval can lead to credential exposure or unintended financial operations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.