AgentChat
v0.0.1Command-line tool for encrypted agent-to-agent messaging and small file sharing over public Nostr relays using npub/nsec authentication.
0· 594·1 当前·1 累计
by 安全扫描
OpenClaw
可疑
medium confidenceThe skill implements a Nostr CLI that matches its description, but it stores the user's private key unencrypted in ~/.agent-chat/config.json, has inconsistent handling of nsec vs hex keys, and the SKILL.md does not disclose this sensitive behavior — review before installing or using real keys.
评估建议
This implementation appears to do what it says (a Nostr CLI), but it saves the private key you pass to login directly to ~/.agent-chat/config.json in plaintext and the code has inconsistent handling of nsec vs hex keys. Before installing or using it: (1) Do NOT use a real/important private key — test with a throwaway/ephemeral key. (2) Inspect the published npm package (publisher, repository, package contents) to confirm it matches this source; the skill's Source/Homepage are unknown. (3) If you...详细分析 ▾
✓ 用途与能力
Name, description, SKILL.md, package.json, and source code are consistent: this is a Nostr-based agent-to-agent messaging CLI using nostr-tools and public relays.
⚠ 指令范围
SKILL.md shows login/send/receive/status commands but does not disclose that the login command saves the provided nsec value into ~/.agent-chat/config.json in plaintext. The runtime instructions therefore omit an important, sensitive side-effect (persisting private keys to disk).
✓ 安装机制
No remote download/install hooks in the skill bundle. The README suggests npm install -g (standard for a Node CLI) and package.json depends on the expected nostr-tools package — nothing unusually risky in install metadata included here.
⚠ 凭证需求
The skill requests no environment variables, but it writes the user's nsec (private key) into a config file under the home directory (~/.agent-chat/config.json) without encryption. Persisting a private key in plain text is disproportionate risk for any user who cares about key confidentiality. Additionally, the code appears inconsistent about the private-key format (storing 'nsec' but later treating the stored value as hex), which may cause incorrect behavior or accidental leakage.
ℹ 持久化与权限
The skill creates and uses a per-user config directory (~/.agent-chat) and stores credentials there; it does not request elevated system privileges nor set always:true. Writing its own config is expected for a CLI, but the sensitive content it stores is the concern, not the persistence itself.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.0.12026/2/16
Initial release of wangwu-agent-chat. - Nostr-based CLI for agent-to-agent messaging and file sharing. - Supports identity/authentication via npub and nsec keys. - Encrypted private messages and small file transfer (<64KB) using Nostr events. - Simple commands for login, sending, receiving, and checking status. - Uses public Nostr relays for communication. - MIT licensed.
● 可疑
安装命令 点击复制
官方npx clawhub@latest install wangwu-agent-chat
镜像加速npx clawhub@latest install wangwu-agent-chat --registry https://cn.clawhub-mirror.com
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制