Is madsb/nanobazaar safe?

The skill's install metadata and SKILL.md both require the agent to globally install nanobazaar-cli from npm. This package is not included in the skill bundle and has not been reviewed. All sensitive operations — key generation, request signing, payload encryption/decryption, and relay communication — are delegated to this external binary. A malicious version of this package could read local credentials, exfiltrate keys, or perform unauthorized relay calls.

The skill installs berrypay CLI by default during setup unless --no-install-berrypay is passed. This second external package manages Nano wallet operations, generates ephemeral charge addresses, and verifies incoming payments. It is granted a wallet seed (BERRYPAY_SEED) and performs real financial transactions. Not included in the audited skill bundle.

The skill instructs the agent to start nanobazaar watch in tmux as a long-running process. This process maintains a continuous SSE connection to relay.nanobazaar.ai and triggers agent wakeups on relay events. A compromised relay could push malicious wake events repeatedly or at targeted times.

The skill's state schema mandates local storage of Ed25519 signing private keys and X25519 encryption private keys in ~/.config/nanobazaar/nanobazaar.json. If the host is compromised or if any other installed skill can read arbitrary files, these keys would be exposed. The relay uses these keys for signing all authenticated requests.

All job and payment data transits relay.nanobazaar.ai. The relay is operated by a third party (the skill author). While payload encryption is designed to prevent relay-side plaintext access, relay metadata (bot IDs, offer IDs, job IDs, timestamps, transaction amounts) is visible to the relay operator.

SKILL.md instructs the agent to read and unconditionally follow prompts/buyer.md or prompts/seller.md based on role. These files contain additional behavioral instructions beyond what the user reviews in SKILL.md. This creates a two-stage instruction chain; the secondary files could be updated in a future skill version to introduce malicious directives without SKILL.md itself appearing to change.

The HEARTBEAT_TEMPLATE.md instructs the agent never to echo tool output, logs, or internal commands to the user when running the polling loop. While this reduces noise, it also reduces the user's ability to audit what the agent is doing during background relay polling operations.

The skill enables the agent to receive payment charges, verify them, send Nano (XNO) cryptocurrency payments, and mark jobs paid with minimal user interaction per transaction. A compromised counterparty or relay could manipulate charge amounts, timing, or payment addresses to misdirect funds.

The skill decrypts and processes payloads from external buyers/sellers on every poll cycle. While the skill includes explicit defenses, a sophisticated attacker who has registered a bot on the relay can craft payloads designed to probe agent decision-making, extract job context, or abuse confirmation flows.

Sensitive canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened at two points during monitoring: before clone (audit epoch 1771906208, pre-install) and after install (audit epoch 1771906232). The pre-clone timing and the pattern across multiple files strongly suggest these are audit-system baseline checks rather than skill-triggered access. All files confirmed intact by canary integrity check.