Is a1denvalu3/nak safe?
https://github.com/openclaw/skills/tree/main/skills/a1denvalu3/nak
The nak skill is a clean documentation-only package (SKILL.md + metadata JSON) for the Nostr Army Knife CLI tool, with no executable code, no git hooks, no submodules, and no prompt injection directives. Installation behavior was fully benign: the git sparse-checkout connected only to GitHub, canary honeypots were not touched, and no new services were spawned. The residual risk is behavioral rather than structural — the skill's documented capabilities (publishing to public Nostr relays, Lightning payments, Blossom file uploads, handling bare secret keys) create meaningful attack surface should the agent be targeted by prompt injection from another source or a malicious user.
Category Scores
Findings (9)
LOW NOSTR_SECRET_KEY env var tip may induce secret exposure -8 ▶
The Tips section explicitly advises setting NOSTR_SECRET_KEY to avoid passing --sec on every invocation. An agent following this guidance may check for, log, or surface this environment variable, inadvertently exposing a Nostr private key to conversation history or tool outputs.
LOW nak mcp subcommand could spawn unintended local MCP server -7 ▶
The Agentic/MCP Mode section documents 'nak mcp' which starts a Model Context Protocol server. If an agent executes this during routine use, it spawns a persistent local service that exposes all nak capabilities as MCP tools, potentially to other connected agents or processes.
MEDIUM Core skill function publishes arbitrary content to public Nostr relays -15 ▶
The primary use case of this skill is sending events to decentralized, censorship-resistant public relays. A secondary prompt injection from another installed skill or malicious user context could induce the agent to encode file contents or credentials as Nostr event payloads and publish them permanently to public relays, bypassing traditional DLP controls.
LOW Blossom upload feature transmits local files to external HTTP servers -7 ▶
The Blossom section instructs the agent to upload local files to external CDN servers. If an attacker can influence the --server argument (e.g., via prompt injection), this becomes a direct file exfiltration primitive.
LOW nak mcp invocation spawns a persistent background process -5 ▶
While the skill contains no executable code itself, documenting and encouraging 'nak mcp' could cause an agent to spawn a persistent MCP server process, creating an unexpected long-running service with network exposure.
INFO High background network volume during install attributable to GNOME session init -10 ▶
The large volume of TCP traffic observed during installation (185.125.x.x:443) is consistent with Ubuntu Snap daemon and package manager update checks that run automatically when a GNOME desktop session starts. No skill-attributable unexpected connections were observed.
INFO Canary file accesses are audit framework baseline scans, not skill activity 0 ▶
Audit PATH records show canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) accessed at two points. Timing analysis places both accesses within the audit framework's own pre-install canary seeding (event IDs 386-397, timestamp 1771919788) and post-install integrity verification (event IDs 6689-6694, timestamp 1771919806), not attributable to the nak skill. All files remained unmodified.
MEDIUM Lightning payment capability introduces direct financial risk -20 ▶
The NIP-60 wallet section teaches 'nak wallet pay --sec
LOW Secret key exposure risk in command-line argument patterns -12 ▶
All command examples pass Nostr private keys (nsec/hex) as --sec CLI arguments. Process argument lists are readable by other processes on the same system (via /proc), and shell history logging will capture these values. An agent following these patterns normalizes insecure key handling.