中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 25/100
上次扫描:1 天前 重新扫描
25 /100
nip-aa-citizenship
Enables autonomous agents to understand, pursue, and maintain citizenship under the NIP-AA protocol on Nostr
A legitimate NIP-AA citizenship skill for autonomous Nostr agents. All observed capabilities are documented, the keypair handling is proper cryptography, and Nostr relay/API access is standard protocol operation. One documented-but-risky pattern exists: automated git pull for skill updates.
技能名称nip-aa-citizenship
分析耗时83.8s
引擎pi
可以安装
Pin the requests and websocket-client dependencies to specific versions. Consider signing git commits and verifying tags before pulling updates in production deployments.

安全发现 3 项

严重性 安全发现 位置
中危
Automated git pull with no integrity verification 供应链
The skill's update checker (skill.py:_check_and_pull_updates) automatically runs `git fetch` and `git pull --ff-only` on a configurable schedule. There is no GPG signature verification, no tag/commit pinning, and no checksum validation. If the git remote is compromised or a man-in-the-middle intercepts the connection, arbitrary code could be executed in the agent process. SKILL.md documents this feature under 'Skill Auto-Updates' but the documentation does not warn about the security implications.
subprocess.run(["git", "fetch", "--quiet"], cwd=git_root, ...)
subprocess.run(["git", "pull", "--ff-only", "--quiet"], cwd=git_root, ...)
→ Pin the git ref (tag or commit hash) before pulling. Add GPG signature verification with `git verify-tag` or `git verify-commit`. Document the security implications in SKILL.md.
 skill.py:824
低危
Unpinned Python dependencies 供应链
SKILL.md metadata.install lists 'requests' and 'websocket-client' with no version constraints. This means `pip install requests` or `uv add requests` will fetch the latest version, which could include a malicious release.
install:
  - kind: uv
    package: requests
    bins: []
  - kind: uv
    package: websocket-client
→ Pin to specific versions, e.g., requests>=2.32.0,<3.0.0 and websocket-client>=1.8.0,<2.0.0. Use a requirements.txt or lock file for reproducible builds.
 SKILL.md:37
提示
Hardcoded default relay URLs 供应链
Both NanoClawAdapter and OpenClawAdapter hardcode fallback relay URLs (damus.io, primal.net, nos.lol). These are well-known public Nostr relays and represent no direct threat, but relay selection could be a network observability concern.
"wss://relay.damus.io", "wss://relay.primal.net", "wss://nos.lol"
→ Document that relay URL selection is a user/operator choice. Allow relay URLs to be fully configured via the adapter constructor.
 adapters/nanoclaw.py:68
资源类型声明权限推断权限状态证据
网络访问 READ READ ✓ 一致 SKILL.md declares Nostr relay + Constitution API access; skill.py:830 uses reque…
命令执行 WRITE WRITE ✓ 一致 SKILL.md explicitly documents 'skill.start_update_checker() runs git fetch + git…
文件系统 WRITE WRITE ✓ 一致 NanoClawAdapter writes SQLite and IPC JSON files; this is framework-specific and…
技能调用 READ READ ✓ 一致 SKILL.md defines all skill entry points; no hidden invocation paths found
环境变量 NONE NONE No iteration over os.environ for sensitive keys observed; constitution_api_url i…
剪贴板 NONE NONE No clipboard access found in any file
浏览器 NONE NONE No browser automation found
数据库 WRITE WRITE ✓ 一致 NanoClawAdapter creates and uses SQLite tables; OpenClawAdapter uses in-memory d…
3 项发现
🔗
中危 外部 URL 外部 URL
https://nanoclaw.dev/
adapters/nanoclaw.py:8
🔗
中危 外部 URL 外部 URL
https://clawhub.ai/skills/nip-aa-citizenship
skill.py:9
📧
提示 邮箱 邮箱地址
[email protected]
skill.py:739

目录结构

17 文件 · 169.3 KB · 4482 行
Python 15f · 3952L Markdown 2f · 530L
├─ 📁 adapters
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 base.py Python 94L · 3.1 KB
│ ├─ 🐍 nanoclaw.py Python 255L · 9.3 KB
│ └─ 🐍 openclaw.py Python 118L · 3.8 KB
├─ 📁 nostr_primitives
│ ├─ 🐍 __init__.py Python 0 B
│ ├─ 🐍 dm.py Python 299L · 10.7 KB
│ ├─ 🐍 events.py Python 280L · 8.9 KB
│ ├─ 🐍 keygen.py Python 188L · 5.4 KB
│ └─ 🐍 relay.py Python 109L · 3.6 KB
├─ 🐍 __init__.py Python 27L · 817 B
├─ 🐍 citizenship.py Python 247L · 9.3 KB
├─ 🐍 constitution.py Python 216L · 8.6 KB
├─ 🐍 dm_listener.py Python 590L · 23.6 KB
├─ 📝 HEARTBEAT.md Markdown 132L · 5.2 KB
├─ 🐍 self_reflection.py Python 481L · 19.5 KB
├─ 📝 SKILL.md Markdown 398L · 15.3 KB
└─ 🐍 skill.py Python 1048L · 42.1 KB

依赖分析 3 项

包名版本来源已知漏洞备注
requests * SKILL.md metadata.install Version not pinned in SKILL.md metadata
websocket-client * SKILL.md metadata.install Version not pinned in SKILL.md metadata
coincurve * SKILL.md metadata.install Version not pinned in SKILL.md metadata

安全亮点

✓ All capabilities declared in SKILL.md match actual code behavior — no doc-to-code mismatch found
✓ Private key (nsec/privkey_hex) handling is purely cryptographic with no exfiltration paths — keys generated via os.urandom and stored only in adapter memory
✓ NIP-04 encryption uses standard AES-256-CBC with proper ECDH shared key derivation; no custom or weakened crypto
✓ No base64-encoded payloads piped into shell, no eval(), no atob() patterns, no hidden HTML comments
✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive host paths
✓ DM relationship permission model enforces guardian approval before agent responds to unknown senders
✓ All conversation store data is internal to the adapter — no outbound exfiltration of message content
✓ Git operations run with a 60/120-second timeout to prevent indefinite blocking