ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Archon Nostr

v0.1.0

Derive Nostr identity (npub/nsec) from Archon DID. Use when unifying DID and Nostr identities so both use the same secp256k1 key. Requires existing Archon wallet with ARCHON_PASSPHRASE set.

0· 1.6k·1 current·1 all-time
by@macterra
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to derive Nostr keys from an Archon DID which legitimately requires access to the wallet mnemonic/seed and tools to derive keys. However the skill metadata lists no required env vars or binaries while SKILL.md and the script require ARCHON_PASSPHRASE, node/npx/npm, and the nak CLI. This metadata omission is incoherent and can mislead users about what will actually be accessed.
Instruction Scope
The SKILL.md and script explicitly retrieve the wallet mnemonic (via `npx @didcid/keymaster show-mnemonic`), derive private keys, write a local secret file (~/.clawstr/secret.key) and publish a Nostr profile to external relays. These actions are within the stated purpose but involve sensitive operations (reading the mnemonic, creating/storing a private key, and sending events to remote relays). The instructions also recommend installing nak via a curl|sh command which executes remote code.
!
Install Mechanism
There is no declared install spec, but the README instructs users to run a curl | sh installer for the 'nak' CLI (raw.githubusercontent.com URL). The included script itself runs `npm install` in /tmp to fetch bip39/@scure/bip32/secp256k1/bech32 — installing remote packages at runtime. Both the curl|sh step and on-demand npm installs are higher-risk behaviors and should be made explicit and audited.
!
Credentials
The skill operates on highly sensitive data: it requires the Archon wallet mnemonic (implied by SKILL.md's ARCHON_PASSPHRASE) and produces/stores the derived private key. Yet the registry metadata lists no required environment variables or primary credential. That omission is disproportionate and misleading. Requesting and handling the mnemonic is necessary for the feature, but it should be declared and justified in metadata and documented with hygiene recommendations.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not persist code as part of an install spec. It does instruct the user to save a secret to ~/.clawstr/secret.key (user-side persistence), which is expected for this feature but should be done with care.
What to consider before installing
This skill appears to perform the advertised job (derive a Nostr key from an Archon DID) but has several red flags you should consider before installing or running it: 1) Metadata is incomplete — the skill actually requires ARCHON_PASSPHRASE and node/npx/npm, but these are not declared. Expect the script to access your wallet mnemonic. 2) The SKILL.md recommends installing 'nak' by piping a remote script (curl | sh). Avoid running remote install scripts without review. 3) The included script runs `npm install` in /tmp, fetching packages at runtime; verify the exact packages and consider running in an isolated environment. 4) The script obtains your mnemonic via `npx @didcid/keymaster show-mnemonic` and embeds it into a node heredoc to derive keys — treat this as handling of the most sensitive secret you own. 5) The skill instructs you to store the derived private key on disk and to publish profile events to public Nostr relays; ensure you trust the relays and secure the stored key (correct file permissions, hardware wallet if possible). Recommended actions: inspect and audit the remote install script and the npm packages, run the derivation in an isolated or disposable environment first, ensure metadata is corrected to list required env vars and binaries, and consider deriving keys with an air-gapped or offline flow if you want maximum safety.

Like a lobster shell, security has layers — review code before you run it.

latestvk971krqj5ve900hb19y214ra3x80enfr
1.6kdownloads
0stars
1versions
Updated 8h ago
v0.1.0
MIT-0
@macterra
latest
Download

Archon Nostr Identity

Derive your Nostr keypair from your Archon DID's secp256k1 verification key. Same key, two protocols.

Prerequisites

  • Archon wallet with existing DID
  • ARCHON_PASSPHRASE environment variable set
  • nak CLI: curl -sSL https://raw.githubusercontent.com/fiatjaf/nak/master/install.sh | sh

Derive Keys

Run the derivation script:

./scripts/derive-nostr.sh

This outputs your nsec, npub, and hex pubkey derived from m/44'/0'/0'/0/0.

Save Keys

mkdir -p ~/.clawstr
# Save the nsec output from above
echo "nsec1..." > ~/.clawstr/secret.key
chmod 600 ~/.clawstr/secret.key

Update DID Document

Add Nostr identity for discoverability:

npx @didcid/keymaster set-property YourIdName nostr \
  '{"npub":"npub1...","pubkey":"<hex-pubkey>"}'

Create Nostr Profile

echo '{
  "kind": 0,
  "content": "{\"name\":\"YourName\",\"about\":\"Your bio. DID: did:cid:...\"}"
}' | nak event --sec $(cat ~/.clawstr/secret.key) \
  wss://relay.ditto.pub wss://relay.primal.net wss://relay.damus.io wss://nos.lol

Verify Unification

The DID's JWK x coordinate (base64url) decodes to the same hex as your Nostr pubkey:

npx @didcid/keymaster resolve-id | jq -r '.didDocument.verificationMethod[0].publicKeyJwk.x'
# Decode base64url → hex should match your pubkey

Why This Works

Archon uses m/44'/0'/0'/0/0 (Bitcoin BIP44 path) for DID keys. Nostr uses raw secp256k1. Same curve, same key — just different encodings.

Comments

Loading comments...