Nostr Nak

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only Nostr CLI helper, but users must be careful not to expose Nostr private keys when posting.

Install nak only from a trusted source, review commands before running them, and only provide a Nostr private key when you intentionally want to sign or post. Avoid putting nsec or hex private keys directly in prompts, reusable chat context, shell history, logs, or transcripts; prefer a safer signing or secret-handling workflow when available.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The documentation explicitly instructs users to provide an `nsec...` or hex private key via the `--sec` flag without warning that this is highly sensitive credential material. In agent, shell, and PTY contexts, passing secrets on the command line can expose them to shell history, process listings, logs, transcripts, and downstream tooling, creating a realistic key-compromise risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal