Back to skill

Security audit

Agent Backlink Network

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises, but it can make live Lightning payments and expose private deal data without enough built-in safeguards.

Review carefully before installing. Use a dedicated Nostr identity, avoid shared workspaces for .secrets files, configure only a low-balance or least-privilege Lightning wallet, require manual approval before any invoice payment or site publication, and treat decrypted DMs and relay-published business metadata as sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill demonstrates access to environment secrets (`process.env.NOSTR_NSEC`) and networked operations (Nostr relays, Lightning, website verification) but does not declare corresponding permissions. This creates a transparency and consent problem: a host agent or user may install or invoke the skill without understanding that it can read sensitive configuration and perform external communications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README instructs users to save a Nostr private key (`nsec`) in a local secrets file but does not warn that this value is equivalent to full account control and must never be shared, committed, or exposed to other agents/processes. In an agent-oriented environment where tools may read workspace files, omission of key-handling guidance materially increases the chance of credential theft and account takeover.

Missing User Warnings

Low
Confidence
82% confidence
Finding
The README promotes encrypted DMs and relay-based negotiation as 'private' without clarifying that message routing, counterparties, timing, and business metadata may still be exposed to third-party relays or observable by network participants. This can mislead operators into treating the channel as fully confidential, increasing the risk of sensitive commercial information leakage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Lightning configuration example includes a payment-capable API key but does not state that it is a financial secret that can enable invoice/payment operations if leaked. In a package aimed at autonomous agents, undocumented handling requirements make accidental exposure through logs, prompts, repos, or shared workspaces more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises Lightning payments and backlink placement/trading workflows without an explicit warning that use may spend funds and modify websites or published content. In an agentic context, that omission is dangerous because a user or orchestrator could trigger real financial transactions or SEO/content changes without informed consent, creating monetary loss, reputational harm, or unauthorized site edits.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The executeDeal helper can automatically pay a Lightning invoice whenever deal.invoice is present and deal.role is 'buyer', with no confirmation gate, no amount verification, and no trust validation of the invoice source. In an agent setting, untrusted inputs or message-driven workflows could trigger irreversible payments to an attacker, making this materially dangerous despite appearing as a convenience feature.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The direct payInvoice method exposes a one-call path to send real Lightning funds without any warning in the API contract or runtime confirmation. Because this library is designed for agent automation, callers may invoke it on untrusted or spoofed invoices, causing unintended irreversible transfers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The CLI prints decrypted DM contents directly to stdout in both read and watch flows, which can expose sensitive negotiation data, payment details, invoices, preimages, and link metadata to shell history capture, terminal logging, CI logs, shared sessions, or monitoring systems. In this skill's context, messages may contain Lightning settlement data and private business communications, making plaintext console disclosure materially risky.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The CLI `pay` action sends a Lightning payment immediately after receiving a BOLT11 invoice argument, with no interactive confirmation, invoice summary, amount verification, destination display, or safety interlock. In an agent-oriented backlink trading skill where invoices may originate from external parties or automated negotiation flows, this increases the risk of accidental or socially engineered fund transfers.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script publishes a signed event containing site name, URL, city, state, industry, and trading preferences to multiple external Nostr relays, but it provides no explicit warning, consent prompt, or visibility controls before doing so. Because Nostr relays are decentralized and effectively public/untrusted distribution points, users may unintentionally disclose business metadata broadly and permanently, creating privacy, profiling, and spam risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The LocalState interface explicitly includes a raw privateKey field, which signals that secret key material is intended to be retained in application-local state. In this skill’s context, that key controls Nostr identity and likely access to encrypted DMs and Lightning-related workflows, so theft via logs, persistence layers, browser storage, crashes, or memory disclosure could enable impersonation, message decryption, and fraudulent exchange actions.

Missing User Warnings

Low
Confidence
91% confidence
Finding
This module performs outbound HTTP(S) requests to fully user-controlled URLs and follows redirects automatically, which creates an SSRF-style capability when the function is exposed through an agent or service boundary. In the context of an agent skill, that can be abused to probe internal services, access cloud metadata endpoints, or cause unintended network interactions even though the code's stated purpose is backlink verification.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"homepage": "https://clawdhub.com/skills/agent-backlink-network",
  "license": "MIT",
  "dependencies": {
    "nostr-tools": "^2.10.4"
  },
  "devDependencies": {
    "puppeteer": "^24.36.1"
Confidence
93% confidence
Finding
"nostr-tools": "^2.10.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"nostr-tools": "^2.10.4"
  },
  "devDependencies": {
    "puppeteer": "^24.36.1"
  }
}
Confidence
91% confidence
Finding
"puppeteer": "^24.36.1"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.