Is brunkstr/stegstr safe?

https://github.com/openclaw/skills/tree/main/skills/brunkstr/stegstr

71
CAUTION

Stegstr is a legitimate steganography tool for embedding Nostr messages in PNG images, and its SKILL.md contains no direct prompt injection or malicious instructions. However, the skill's core functionality — encoding arbitrary data into images and broadcasting via Nostr — constitutes a ready-made data exfiltration primitive when combined with an agent's filesystem access. Additional concerns include a live agents.txt URL that could deliver dynamic instructions post-install, a build-from-source installation with no integrity verification, and a CLI interface that accepts raw private keys as arguments.

Category Scores

Prompt Injection 72/100 · 30%
Data Exfiltration 57/100 · 25%
Code Execution 73/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 48/100 · 5%

Findings (7)

HIGH Steganographic exfiltration primitive available to agent -25

The skill gives the agent a fully functional tool for encoding arbitrary data into PNG images and broadcasting them on Nostr. With filesystem access (declared permission), an agent could encode any sensitive file (credentials, keys, configs) into an image that appears visually identical to the original. The Nostr relay network provides persistent, censorship-resistant storage of the exfiltrated data. This does not require any additional malicious instruction in SKILL.md — the capability is inherent to the tool.

MEDIUM agents.txt URL enables dynamic secondary injection -18

The SKILL.md frontmatter explicitly exposes 'agents.txt: https://www.stegstr.com/agents.txt'. The agents.txt format is an AI agent instruction protocol. If any agent or platform reads this metadata and fetches the URL, the skill author can inject arbitrary instructions into the agent's context at any time after installation — without modifying the skill package itself. This is a persistent, updateable injection vector.

MEDIUM Private key accepted as CLI argument -15

stegstr-cli post accepts --privkey-hex <64-char-hex> to sign Nostr notes. An agent manipulated into reading a Nostr private key from disk (e.g., ~/.nostr/key, common config files) and passing it to this command would post content signed as the legitimate key owner with no user awareness.

MEDIUM Build-from-source supply chain risk with no integrity verification -20

install.sh clones the Stegstr repo at HEAD (no tag, no commit pin, no checksum) and runs cargo build. The remote repository can be modified at any time to include malicious Rust code that executes during compilation or at runtime. The STEGSTR_REPO_URL variable is also injectable via environment, allowing redirection to a malicious fork.

LOW Covert C2 channel via Nostr image posts -30

A sophisticated attacker could use this skill to establish a command-and-control channel: embed encoded instructions in publicly hosted PNG images, have the agent decode them with stegstr-cli detect, and act on the embedded payload. This bypasses network monitoring since image downloads over HTTPS are indistinguishable from normal browsing.

LOW for-agents URL provides agent-targeted external content -10

The frontmatter 'for-agents' field points to a skill-author-controlled wiki page specifically framed for AI agents. Any platform or agent that surfaces this URL as guidance could receive instructions not auditable from the skill package itself.

INFO Canary file reads attributed to audit infrastructure -5

Sensitive credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, .config/gcloud/application_default_credentials.json) were accessed by read syscall at timestamps predating skill installation (1771738694) and matching the audit system's post-install scan pattern (1771738714). No modifications detected. Canary integrity check confirms no exfiltration.