nostr-profile
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: nostr-profile Version: 0.2.0 The nostr-profile skill is a legitimate utility for managing Nostr identities (Kind 0 metadata) on the Nostr network. It utilizes the 'nostr-profile' and 'nostrkey' libraries to publish, read, and update profile information such as names, bios, and avatars. The SKILL.md instructions include appropriate security guidance, explicitly directing the agent to never log private keys (nsec) and to inform users that profile data is public. The code and examples (e.g., examples/publish_profile.py) align with the stated purpose without any signs of malicious intent or unauthorized data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone with the raw nsec key can act as that Nostr identity, so mishandling it could compromise the profile/account.
The example reads a raw Nostr private signing key from an environment variable. This is purpose-aligned for publishing signed Nostr profile events, but the key is sensitive and should not be exposed.
identity = Identity.from_nsec(os.environ["NOSTR_NSEC"])
Use a dedicated Nostr identity where possible, keep nsec/passphrases out of logs and chats, and verify which environment variables are required before installing.
Profile names, bios, images, and related metadata may become visible publicly on the Nostr network.
The skill can publish profile metadata to a Nostr relay. This is the advertised function and the instructions include operator confirmation, but it is still an external public write action.
asyncio.run(publish_profile(me, profile, relay))
Confirm the exact profile fields and relay before publishing or updating.
Installing the skill brings in package code not fully shown in the provided artifacts.
The install path depends on an external Python package. This is normal for a Python skill, but users rely on that package’s published contents and provenance.
"pip": "nostr-profile"
Install from the expected package/repository and review package provenance if the Nostr private key is valuable.
Users could publish more personal information than intended if they focus only on updateability and not public exposure.
The artifact clearly warns that profile data is public. Users should also remember that public relay data may be copied or archived even when profile events are replaceable.
A Nostr profile is **public**. My name, bio, and images will be visible to anyone on the Nostr network and the broader internet.
Assume anything published to Nostr may remain public; avoid private or sensitive profile content.