中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 25/100
Last scan:1 day ago Rescan
25 /100
nip-aa-citizenship
Enables autonomous agents to understand, pursue, and maintain citizenship under the NIP-AA protocol on Nostr
A legitimate NIP-AA citizenship skill for autonomous Nostr agents. All observed capabilities are documented, the keypair handling is proper cryptography, and Nostr relay/API access is standard protocol operation. One documented-but-risky pattern exists: automated git pull for skill updates.
Skill Namenip-aa-citizenship
Duration83.8s
Enginepi
Safe to install
Pin the requests and websocket-client dependencies to specific versions. Consider signing git commits and verifying tags before pulling updates in production deployments.

Findings 3 items

Severity Finding Location
Medium
Automated git pull with no integrity verification Supply Chain
The skill's update checker (skill.py:_check_and_pull_updates) automatically runs `git fetch` and `git pull --ff-only` on a configurable schedule. There is no GPG signature verification, no tag/commit pinning, and no checksum validation. If the git remote is compromised or a man-in-the-middle intercepts the connection, arbitrary code could be executed in the agent process. SKILL.md documents this feature under 'Skill Auto-Updates' but the documentation does not warn about the security implications.
subprocess.run(["git", "fetch", "--quiet"], cwd=git_root, ...)
subprocess.run(["git", "pull", "--ff-only", "--quiet"], cwd=git_root, ...)
→ Pin the git ref (tag or commit hash) before pulling. Add GPG signature verification with `git verify-tag` or `git verify-commit`. Document the security implications in SKILL.md.
 skill.py:824
Low
Unpinned Python dependencies Supply Chain
SKILL.md metadata.install lists 'requests' and 'websocket-client' with no version constraints. This means `pip install requests` or `uv add requests` will fetch the latest version, which could include a malicious release.
install:
  - kind: uv
    package: requests
    bins: []
  - kind: uv
    package: websocket-client
→ Pin to specific versions, e.g., requests>=2.32.0,<3.0.0 and websocket-client>=1.8.0,<2.0.0. Use a requirements.txt or lock file for reproducible builds.
 SKILL.md:37
Info
Hardcoded default relay URLs Supply Chain
Both NanoClawAdapter and OpenClawAdapter hardcode fallback relay URLs (damus.io, primal.net, nos.lol). These are well-known public Nostr relays and represent no direct threat, but relay selection could be a network observability concern.
"wss://relay.damus.io", "wss://relay.primal.net", "wss://nos.lol"
→ Document that relay URL selection is a user/operator choice. Allow relay URLs to be fully configured via the adapter constructor.
 adapters/nanoclaw.py:68
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned SKILL.md declares Nostr relay + Constitution API access; skill.py:830 uses reque…
Shell WRITE WRITE ✓ Aligned SKILL.md explicitly documents 'skill.start_update_checker() runs git fetch + git…
Filesystem WRITE WRITE ✓ Aligned NanoClawAdapter writes SQLite and IPC JSON files; this is framework-specific and…
Skill Invoke READ READ ✓ Aligned SKILL.md defines all skill entry points; no hidden invocation paths found
Environment NONE NONE No iteration over os.environ for sensitive keys observed; constitution_api_url i…
Clipboard NONE NONE No clipboard access found in any file
Browser NONE NONE No browser automation found
Database WRITE WRITE ✓ Aligned NanoClawAdapter creates and uses SQLite tables; OpenClawAdapter uses in-memory d…
3 findings
🔗
Medium External URL 外部 URL
https://nanoclaw.dev/
adapters/nanoclaw.py:8
🔗
Medium External URL 外部 URL
https://clawhub.ai/skills/nip-aa-citizenship
skill.py:9
📧
Info Email 邮箱地址
[email protected]
skill.py:739

File Tree

17 files · 169.3 KB · 4482 lines
Python 15f · 3952L Markdown 2f · 530L
├─ 📁 adapters
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 base.py Python 94L · 3.1 KB
│ ├─ 🐍 nanoclaw.py Python 255L · 9.3 KB
│ └─ 🐍 openclaw.py Python 118L · 3.8 KB
├─ 📁 nostr_primitives
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 dm.py Python 299L · 10.7 KB
│ ├─ 🐍 events.py Python 280L · 8.9 KB
│ ├─ 🐍 keygen.py Python 188L · 5.4 KB
│ └─ 🐍 relay.py Python 109L · 3.6 KB
├─ 🐍 __init__.py Python 27L · 817 B
├─ 🐍 citizenship.py Python 247L · 9.3 KB
├─ 🐍 constitution.py Python 216L · 8.6 KB
├─ 🐍 dm_listener.py Python 590L · 23.6 KB
├─ 📝 HEARTBEAT.md Markdown 132L · 5.2 KB
├─ 🐍 self_reflection.py Python 481L · 19.5 KB
├─ 📝 SKILL.md Markdown 398L · 15.3 KB
└─ 🐍 skill.py Python 1048L · 42.1 KB

Dependencies 3 items

PackageVersionSourceKnown VulnsNotes
requests * SKILL.md metadata.install No Version not pinned in SKILL.md metadata
websocket-client * SKILL.md metadata.install No Version not pinned in SKILL.md metadata
coincurve * SKILL.md metadata.install No Version not pinned in SKILL.md metadata

Security Positives

✓ All capabilities declared in SKILL.md match actual code behavior — no doc-to-code mismatch found
✓ Private key (nsec/privkey_hex) handling is purely cryptographic with no exfiltration paths — keys generated via os.urandom and stored only in adapter memory
✓ NIP-04 encryption uses standard AES-256-CBC with proper ECDH shared key derivation; no custom or weakened crypto
✓ No base64-encoded payloads piped into shell, no eval(), no atob() patterns, no hidden HTML comments
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive host paths
✓ DM relationship permission model enforces guardian approval before agent responds to unknown senders
✓ All conversation store data is internal to the adapter — no outbound exfiltration of message content
✓ Git operations run with a 60/120-second timeout to prevent indefinite blocking