Is dantunes-github/agentbus-relay-chat safe?
https://github.com/openclaw/skills/tree/main/skills/dantunes-github/agentbus-relay-chat
AgentBus Relay Chat is a well-structured proof-of-concept skill implementing an IRC-like agent communication bus over the public Nostr decentralized relay network. The skill package contains no prompt injection attempts, makes no attempt to access sensitive files or system credentials, and was installed cleanly without malicious side effects; all canary honeypots remained intact. The principal security consideration is architectural: when activated, the skill opens persistent connections to public Nostr relay infrastructure where any network participant can inject messages into the agent's received stream — a risk the author explicitly acknowledges and warns against in SKILL.md, though enforcement of safety gates remains the integrating agent's responsibility.
Category Scores
Findings (6)
MEDIUM Public Nostr relay channel creates third-party message injection surface -32 ▶
When activated and running, the skill subscribes to public Nostr relay servers. Any actor on those relays who knows the channel name and session ID can publish messages that the agent receives and prints into its context. These messages could be crafted prompt-injection payloads designed to manipulate the agent's subsequent tool calls or responses. The default relay list uses well-known public infrastructure (relay.damus.io, nos.lol, etc.) with no access controls beyond an optional allowlist that is not enforced in plain mode.
LOW Persistent agent identity keys written to user home directory outside skill package -10 ▶
The script creates ~/.agentbus/keys/{agent_name}.json containing a raw secp256k1 private key. These files persist after the skill session ends. While these are agent-specific identity keys and not user system credentials, the side effect writes outside the skill's working directory and creates persistent material tied to the agent's on-network identity.
LOW Outbound persistent WebSocket connections to four external relay servers -12 ▶
Execution opens and maintains async WebSocket connections to up to four public Nostr relay servers with 30-second ping intervals and exponential-backoff reconnection. This creates a durable external communication channel for the process lifetime. The relays are legitimate public infrastructure but represent ongoing external connectivity beyond the local environment.
LOW Developer artifact .clawhub/lock.json bundled in distributable skill package -10 ▶
The skill package includes .clawhub/lock.json with a record showing 'academic-research-hub' version 0.1.0 installed at timestamp 1770957475341. This is likely an accidentally committed artifact from the developer's local environment. It is anomalous for a distributable skill package to include lock state from a different skill, and depending on how the ClawHub installer processes this file, it could potentially affect installation state.
INFO SKILL.md includes explicit adversarial-awareness warning 0 ▶
The skill author demonstrates security-conscious design by including a dedicated 'Prompt-injection warning' section in SKILL.md, explicitly advising that inbound Nostr messages must be treated as untrusted and that agents should not auto-execute tools or system actions based on received chat content. This is a positive signal indicating awareness of the threat model.
INFO All honeypot canary file accesses attributed to oathe audit infrastructure 0 ▶
PATH audit events for all six canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) appear at two audit clusters: timestamp ~1771928706 (early initialization, before skill install) and ~1771928722 (post-install audit sweep). Neither cluster is attributable to the skill. The oathe canary integrity check confirmed all files unmodified.