nostrsocial

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Nostr contact-management purpose, but it tells operators to print a root device secret during setup.

Install only if you are comfortable with a package that manages identity-linked relationship data. Do not print, paste, or log the device secret; store it in a secure secret manager or encrypted backup, protect any Nostr private key/passphrase, and verify the external Python package before providing credentials.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill explicitly instructs operators to export and print a root device secret, even though that secret anchors all proxy identity derivation. Printing or otherwise displaying such a secret materially increases the chance of exposure through logs, terminal scrollback, shell history capture, screen recording, or shoulder surfing, which could enable identity takeover or irreversible compromise of the relationship map.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal