Back to skill

Security audit

Nostr Social

Security checks across malware telemetry and agentic risk

Overview

The skill’s Nostr and wallet features are mostly purpose-aligned, but it can use existing local identity and wallet secrets despite framing them as agent-owned.

Install only in a dedicated agent account or clean HOME directory, not where you already keep Nostr or cocod wallet credentials. Keep small balances, back up the mnemonic securely, and require explicit approval before posts, DMs, follows, deletes, zaps, invoice payments, or heartbeat/autoresponse workflows.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (7)

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The README makes a security assurance that the agent 'never displays or transmits private keys,' yet the documented setup requires the user to open a local config file and recover the mnemonic from it. This is a materially inconsistent security claim: a 12/24-word mnemonic is equivalent to full wallet and identity control, so downplaying or misdescribing its exposure can cause unsafe operator behavior and improper secret handling.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The README claims the skill does not read local files, but elsewhere states it pulls data from local files such as SOUL.md, HEARTBEAT.md, TOOLS.md, and wallet/config paths. This is a dangerous capability misrepresentation because users may install the skill under the assumption it has no local file access, when in practice it relies on and may process local agent state and sensitive files, increasing the chance of secret exposure or unintended data use.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code reads another application's wallet mnemonic from ~/.cocod/config.json and reuses it to derive the Nostr identity automatically. This crosses a trust boundary by silently consuming highly sensitive wallet seed material from another app, increasing blast radius: compromise, disclosure, or misuse of one seed now affects both wallet funds and social identity.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The skill advertises broad natural-language triggers for actions that can publish content, send messages, follow users, and move funds. Ambiguous phrase matching can cause accidental activation from ordinary conversation, leading to unintended posts, DMs, follows, or wallet actions under the agent's identity.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The user phrase-to-action table maps common expressions like 'balance', 'my feed', or 'post X' directly to operational commands. In a conversational agent, these examples can overlap with benign discussion and be misinterpreted as executable instructions, causing unintended external actions or disclosure of account information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The installer silently runs `npm install --quiet` and suppresses stderr, which hides what packages are being fetched and what lifecycle scripts may execute during installation. In the context of an agent skill that provisions identity and wallet-related functionality, this reduces user visibility into a supply-chain-sensitive step and makes malicious or unexpected dependency behavior harder to detect.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code loads private key material from disk without any interactive disclosure, confirmation, or boundary checks at the access point. In a skill context where an agent may invoke commands autonomously, silent access to local secret material increases the risk of unintended identity use and makes sensitive-key handling less transparent to the operator.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/nostr.js:81