Agent Chat Nostr

Security checks across malware telemetry and agentic risk

Overview

This Nostr chat tool matches its purpose, but it handles a private identity key in ways users may not realize are risky.

Install only if you are comfortable giving this tool a Nostr private key. Use a dedicated low-value Nostr identity, avoid pasting an important long-lived `nsec` into shell history, protect or delete `~/.agent-chat/config.json` when finished, and remember that public relays may reveal messaging metadata even when message contents are encrypted.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill documentation instructs users to log in by passing an nsec private key directly on the command line and describes use of public relays, but provides no warning about key secrecy, shell history exposure, process-list leakage, or metadata/privacy risks from public messaging infrastructure. In agent ecosystems, users may copy-paste sensitive credentials into terminals or automation, making credential compromise and message correlation more likely.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The login flow stores the user's Nostr private key (`nsec`) in `~/.agent-chat/config.json` in plaintext, with no permission hardening, encryption, or warning to the user. Any local process, malware, backup leak, or other user on a misconfigured system that can read this file can fully compromise the identity and decrypt/send messages as that user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal