nostr-profile
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent and purpose-aligned, but it legitimately handles Nostr signing credentials and publishes public profile information.
This skill appears suitable for its stated purpose, but only install it if you are comfortable giving it access to a Nostr signing identity and publishing profile metadata publicly. Use a dedicated key if possible, review the profile fields before publishing, and treat Nostr profile data as public and potentially long-lived.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the raw nsec key can act as that Nostr identity, so mishandling it could compromise the profile/account.
The example reads a raw Nostr private signing key from an environment variable. This is purpose-aligned for publishing signed Nostr profile events, but the key is sensitive and should not be exposed.
identity = Identity.from_nsec(os.environ["NOSTR_NSEC"])
Use a dedicated Nostr identity where possible, keep nsec/passphrases out of logs and chats, and verify which environment variables are required before installing.
Profile names, bios, images, and related metadata may become visible publicly on the Nostr network.
The skill can publish profile metadata to a Nostr relay. This is the advertised function and the instructions include operator confirmation, but it is still an external public write action.
asyncio.run(publish_profile(me, profile, relay))
Confirm the exact profile fields and relay before publishing or updating.
Installing the skill brings in package code not fully shown in the provided artifacts.
The install path depends on an external Python package. This is normal for a Python skill, but users rely on that package’s published contents and provenance.
"pip": "nostr-profile"
Install from the expected package/repository and review package provenance if the Nostr private key is valuable.
Users could publish more personal information than intended if they focus only on updateability and not public exposure.
The artifact clearly warns that profile data is public. Users should also remember that public relay data may be copied or archived even when profile events are replaceable.
A Nostr profile is **public**. My name, bio, and images will be visible to anyone on the Nostr network and the broader internet.
Assume anything published to Nostr may remain public; avoid private or sensitive profile content.