Is 6830920/clawlet safe?

https://github.com/openclaw/skills/tree/main/skills/6830920/clawlet

91
SAFE

Clawlet is a legitimate Nostr social media client that provides standard functionality for identity management, posting, and timeline reading. The skill uses proper cryptographic libraries and follows secure coding practices. While it handles private keys and connects to external relays (both necessary for Nostr functionality), these operations are implemented appropriately.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 95/100 · 10%
Behavioral Reasoning 80/100 · 5%

Findings (4)

LOW External Nostr relay connections -10

The skill connects to external Nostr relays (relay.damus.io, nos.lol, nostr.wine) for legitimate social media functionality. This is expected behavior for a Nostr client but involves data transmission to third parties.

LOW Local private key storage -5

The skill stores Nostr private keys locally in data/identities.json. While this is legitimate functionality, it creates a sensitive data store that could be targeted.

MEDIUM Private key management responsibilities -15

The skill generates and manages cryptographic private keys for Nostr identities. If compromised, these keys could enable identity impersonation on the Nostr network.

LOW Social media posting capabilities -5

The skill can post content to the Nostr network, which could potentially be misused for spam or harassment if the skill or system is compromised.