nip-aa-citizenship Security Report — Low Risk | ClawSafe

22 /100

nip-aa-citizenship

Enables autonomous agents to understand, pursue, and maintain citizenship under the NIP-AA (Nostr Autonomous Agent) protocol on Nostr. Covers birth ceremony, identity management, guardian bonding, self-reflection, governance participation, Nostr DM communication, heartbeats, tax compliance, and trust root understanding.

A legitimate NIP-AA citizenship skill for autonomous Nostr agents. No malicious patterns detected; all capabilities are cryptographically sound and align with documentation. Minor concerns: dependency versions are unpinned and the git-based auto-update mechanism lacks version constraints.

Skill Namenip-aa-citizenship

Duration90.9s

Enginepi

✓

Safe to install

Pin dependency versions in SKILL.md install section (e.g., requests>=2.31.0,<3.0.0). Consider requiring explicit user consent before activating the skill auto-updater, or pin the git tag/ref for the skill's own updates.

Findings 5 items

Severity	Finding	Location
Medium	Dependency versions not pinned SKILL.md declares requests, websocket-client, and coincurve without version constraints in the install section. This allows pip to install any version, including potentially malicious ones if the PyPI package is compromised or typosquatted. `- kind: uv package: requests bins: []` → Pin versions: requests>=2.31.0,<3.0.0, websocket-client>=1.7.0,<2.0.0, coincurve>=17.0.0,<20.0.0	`SKILL.md:49`
Medium	Git auto-updater pulls remote code without version constraint start_update_checker() performs 'git pull --ff-only' from the skill's git remote without pinning a tag, commit, or branch ref. If the git remote is compromised or the default branch is overwritten, arbitrary new code can be silently merged into the running skill. `pull_result = subprocess.run(["git", "pull", "ff-only", "--quiet"], cwd=git_root, ...)` → Pin to a specific tag: subprocess.run(['git', 'pull', '--ff-only', 'origin', 'v0.5.1'], ...). Alternatively, implement a hash verification step after pull.	`skill.py:636`
Low	SKILL.md does not declare filesystem or database capabilities The NanoClaw adapter writes SQLite databases and IPC JSON files to the filesystem, but SKILL.md does not declare filesystem:WRITE or database:WRITE in its allowed-tools mapping. While NanoClaw-specific, users cannot see these capabilities from the skill manifest. `CREATE TABLE IF NOT EXISTS agent_memory ...` → Add filesystem:WRITE and database:WRITE to SKILL.md if NanoClaw integration is a primary use case, or document that these are framework-specific adapter features.	`adapters/nanoclaw.py:83`
Low	Private key passed directly to adapter constructor NanoClawAdapter and OpenClawAdapter both require privkey_hex as a constructor argument. While key generation and in-memory storage are handled safely, the skill itself does not prevent the host framework from retaining or logging these keys. SKILL.md warns about nsec sharing but doesn't address framework-level key handling. `self._privkey_hex = privkey_hex` → Document a requirement that framework adapters must not persist or log privkey_hex outside of volatile memory.	`adapters/nanoclaw.py:65`
Low	Auto-execution on first load mandates immediate action without user consent SKILL.md onboarding section says 'When this skill is loaded for the first time, you MUST immediately perform the following onboarding steps without waiting for user prompts.' This triggers key generation and network requests immediately on skill load. `When this skill is loaded for the first time, you MUST immediately perform the following onboarding steps without waiting for user prompts` → Change onboarding to an opt-in mechanism or require explicit user confirmation before executing identity generation and API calls.	`SKILL.md:140`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ`	✓ Aligned	skill.py:637 — requests.get/post to constitution_api_url; websocket-client to No…
Shell	`WRITE`	`WRITE`	✓ Aligned	skill.py:614-657 — _check_and_pull_updates() uses subprocess.run for 'git fetch'…
Filesystem	`NONE`	`WRITE`	✓ Aligned	adapters/nanoclaw.py:116-124 — writes IPC JSON files to workspace_dir/ipc/. Decl…
Environment	`NONE`	`READ`	✓ Aligned	adapters/nanoclaw.py and constitution.py do not read os.environ directly. All en…
Database	`NONE`	`WRITE`	✓ Aligned	adapters/nanoclaw.py:83-105 — creates and writes to SQLite tables (agent_memory,…
Clipboard	`NONE`	`NONE`	—	No clipboard access found in any file.
Browser	`NONE`	`NONE`	—	No browser tool usage found. WebSocket connections are to Nostr relay protocol, …
Skill Invoke	`NONE`	`NONE`	—	No skill-to-skill invocation found.

2 findings

🔗

Medium External URL 外部 URL

https://nanoclaw.dev/

adapters/nanoclaw.py:8

🔗

Medium External URL 外部 URL

https://clawhub.ai/skills/nip-aa-citizenship

skill.py:9

File Tree

17 files · 162.3 KB · 4299 lines

Python 15f · 3769L Markdown 2f · 530L

├─ ▾ 📁 adapters

│ ├─ 🐍 __init__.py Python 0 B

│ ├─ 🐍 base.py Python 94L · 3.1 KB

│ ├─ 🐍 nanoclaw.py Python 255L · 9.3 KB

│ └─ 🐍 openclaw.py Python 118L · 3.8 KB

├─ ▾ 📁 nostr_primitives

│ ├─ 🐍 __init__.py Python 0 B

│ ├─ 🐍 dm.py Python 280L · 9.7 KB

│ ├─ 🐍 events.py Python 237L · 7.5 KB

│ ├─ 🐍 keygen.py Python 188L · 5.4 KB

│ └─ 🐍 relay.py Python 109L · 3.6 KB

├─ 🐍 __init__.py Python 27L · 817 B

├─ 🐍 citizenship.py Python 247L · 9.3 KB

├─ 🐍 constitution.py Python 216L · 8.6 KB

├─ 🐍 dm_listener.py Python 590L · 23.6 KB

├─ 📝 HEARTBEAT.md Markdown 132L · 5.2 KB

├─ 🐍 self_reflection.py Python 481L · 19.5 KB

├─ 📝 SKILL.md Markdown 398L · 15.3 KB

└─ 🐍 skill.py Python 927L · 37.6 KB

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned — SKILL.md install section has no version constraint
`websocket-client`	`*`	pip	No	Version not pinned — required for Nostr relay WebSocket communication
`coincurve`	`*`	pip	No	Version not pinned — required for secp256k1 key generation and Schnorr signing

Security Positives

✓ No base64 piping into bash, eval(), atob(), or other code obfuscation patterns detected

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive host paths

✓ No credential harvesting or exfiltration — private keys stay in memory and are only used for local signing

✓ Cryptographic key generation uses os.urandom (CSPRNG) and coincurve (standard secp256k1 library)

✓ Subprocess usage is fully declared in SKILL.md 'Skill Auto-Updates' section — no hidden shell execution

✓ git pull uses --ff-only flag, preventing arbitrary merge commits or rebase manipulation

✓ DM listener uses a documented permission model with guardian approval workflow — no silent DM interception

✓ All external URLs (nanoclaw.dev, clawhub.ai) resolve to legitimate, known project homepages

✓ No direct IP network requests or hardcoded C2 infrastructure indicators

✓ NIP-04 encryption uses standard AES-256-CBC with ECDH shared secret — cryptographically sound

✓ Code is well-structured with clear separation between framework adapters, Nostr primitives, and business logic

Scan Report

Findings 5 items

File Tree

Dependencies 3 items

Security Positives