nostrcalendar

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it installs a Nostr calendar helper and uses a Nostr private key to publish and manage calendar events on relays.

Install only if you trust the `nostrcalendar` Python package source. Use a dedicated Nostr key for this calendar identity, keep `NOSTR_NSEC` out of logs and shared shells, and understand that relays may expose scheduling metadata such as times and participant public keys even when event details are encrypted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup instructions require loading and using a Nostr private key (`NOSTR_NSEC`) and frame it as standard configuration, but they do not prominently warn that compromise of this secret gives full control over the identity and its signed events. In an agent skill context, encouraging routine environment exposure of a signing key increases the chance that operators inject highly sensitive credentials into automation without sufficient isolation, rotation, or scope controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal