by 安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill implements a Nostr-based calendar and legitimately needs a Nostr private key (NOSTR_NSEC) to sign events. Before installing: (1) confirm the package source — metadata suggests pip, but the install spec shows an unexpected "uv" kind; prefer installing from a trusted index or inspect the package contents first; (2) understand that providing NOSTR_NSEC gives the skill the ability to sign events as that entity (use an entity-specific key, not your personal/high-privilege key); (3) review ...详细分析 ▾
ℹ 用途与能力
The declared purpose (calendar over Nostr) aligns with needing a private Nostr key (NOSTR_NSEC) to sign events and a relay URL. However the registry header said "Required env vars: none" while the SKILL.md and metadata.json both require NOSTR_NSEC — this metadata mismatch is inconsistent and should be resolved.
✓ 指令范围
SKILL.md and examples stay within the calendar scheduling domain: publishing availability, querying free slots, creating bookings, and negotiating proposals via Nostr relays. The skill explicitly instructs reading NOSTR_NSEC and using a relay; no instructions request unrelated system files or unrelated credentials. It does include an instruction-level example to run subprocess.run(["pip","install","nostrcalendar"]), which would perform a network install at runtime.
⚠ 安装机制
The package is installed from a Python package (metadata.json lists pip: nostrcalendar) but the registry/install spec shows kind: "uv" with package: nostrcalendar — this mismatch is unusual. The SKILL.md also suggests running pip at runtime. Verify the actual install source (PyPI or GitHub release). Running pip at runtime will download and execute third-party code; confirm the package origin and inspect the package before installing.
ℹ 凭证需求
Requesting a single sensitive env var (NOSTR_NSEC) is proportionate for a calendar that must sign events. But the registry summary initially claimed no required env vars while both SKILL.md and metadata.json mark NOSTR_NSEC as required and sensitive — this inconsistency should be fixed. Ensure the key you provide is the intended entity's key (not your personal or high-privilege key).
✓ 持久化与权限
always is false and the skill does not request system-wide config changes; it does not appear to modify other skills or system settings. The agent may invoke the skill autonomously (default), which is normal — combine this with sensitive-key access only if you want the agent to act without explicit user prompts.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv0.2.32026/3/14
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install nostrcalendar
镜像加速npx clawhub@latest install nostrcalendar --registry https://cn.longxiaskill.com镜像同步中