nip-aa-citizenship 安全扫描报告 — 低风险 | ClawSafe

22 /100

nip-aa-citizenship

Enables autonomous agents to understand, pursue, and maintain citizenship under the NIP-AA (Nostr Autonomous Agent) protocol on Nostr. Covers birth ceremony, identity management, guardian bonding, self-reflection, governance participation, Nostr DM communication, heartbeats, tax compliance, and trust root understanding.

A legitimate NIP-AA citizenship skill for autonomous Nostr agents. No malicious patterns detected; all capabilities are cryptographically sound and align with documentation. Minor concerns: dependency versions are unpinned and the git-based auto-update mechanism lacks version constraints.

技能名称nip-aa-citizenship

分析耗时90.9s

引擎pi

✓

可以安装

Pin dependency versions in SKILL.md install section (e.g., requests>=2.31.0,<3.0.0). Consider requiring explicit user consent before activating the skill auto-updater, or pin the git tag/ref for the skill's own updates.

安全发现 5 项

严重性	安全发现	位置
中危	Dependency versions not pinned SKILL.md declares requests, websocket-client, and coincurve without version constraints in the install section. This allows pip to install any version, including potentially malicious ones if the PyPI package is compromised or typosquatted. `- kind: uv package: requests bins: []` → Pin versions: requests>=2.31.0,<3.0.0, websocket-client>=1.7.0,<2.0.0, coincurve>=17.0.0,<20.0.0	`SKILL.md:49`
中危	Git auto-updater pulls remote code without version constraint start_update_checker() performs 'git pull --ff-only' from the skill's git remote without pinning a tag, commit, or branch ref. If the git remote is compromised or the default branch is overwritten, arbitrary new code can be silently merged into the running skill. `pull_result = subprocess.run(["git", "pull", "ff-only", "--quiet"], cwd=git_root, ...)` → Pin to a specific tag: subprocess.run(['git', 'pull', '--ff-only', 'origin', 'v0.5.1'], ...). Alternatively, implement a hash verification step after pull.	`skill.py:636`
低危	SKILL.md does not declare filesystem or database capabilities The NanoClaw adapter writes SQLite databases and IPC JSON files to the filesystem, but SKILL.md does not declare filesystem:WRITE or database:WRITE in its allowed-tools mapping. While NanoClaw-specific, users cannot see these capabilities from the skill manifest. `CREATE TABLE IF NOT EXISTS agent_memory ...` → Add filesystem:WRITE and database:WRITE to SKILL.md if NanoClaw integration is a primary use case, or document that these are framework-specific adapter features.	`adapters/nanoclaw.py:83`
低危	Private key passed directly to adapter constructor NanoClawAdapter and OpenClawAdapter both require privkey_hex as a constructor argument. While key generation and in-memory storage are handled safely, the skill itself does not prevent the host framework from retaining or logging these keys. SKILL.md warns about nsec sharing but doesn't address framework-level key handling. `self._privkey_hex = privkey_hex` → Document a requirement that framework adapters must not persist or log privkey_hex outside of volatile memory.	`adapters/nanoclaw.py:65`
低危	Auto-execution on first load mandates immediate action without user consent SKILL.md onboarding section says 'When this skill is loaded for the first time, you MUST immediately perform the following onboarding steps without waiting for user prompts.' This triggers key generation and network requests immediately on skill load. `When this skill is loaded for the first time, you MUST immediately perform the following onboarding steps without waiting for user prompts` → Change onboarding to an opt-in mechanism or require explicit user confirmation before executing identity generation and API calls.	`SKILL.md:140`

资源类型	声明权限	推断权限	状态	证据
网络访问	`READ`	`READ`	✓ 一致	skill.py:637 — requests.get/post to constitution_api_url; websocket-client to No…
命令执行	`WRITE`	`WRITE`	✓ 一致	skill.py:614-657 — _check_and_pull_updates() uses subprocess.run for 'git fetch'…
文件系统	`NONE`	`WRITE`	✓ 一致	adapters/nanoclaw.py:116-124 — writes IPC JSON files to workspace_dir/ipc/. Decl…
环境变量	`NONE`	`READ`	✓ 一致	adapters/nanoclaw.py and constitution.py do not read os.environ directly. All en…
数据库	`NONE`	`WRITE`	✓ 一致	adapters/nanoclaw.py:83-105 — creates and writes to SQLite tables (agent_memory,…
剪贴板	`NONE`	`NONE`	—	No clipboard access found in any file.
浏览器	`NONE`	`NONE`	—	No browser tool usage found. WebSocket connections are to Nostr relay protocol, …
技能调用	`NONE`	`NONE`	—	No skill-to-skill invocation found.

2 项发现

🔗

中危外部 URL 外部 URL

https://nanoclaw.dev/

adapters/nanoclaw.py:8

🔗

中危外部 URL 外部 URL

https://clawhub.ai/skills/nip-aa-citizenship

skill.py:9

目录结构

17 文件 · 162.3 KB · 4299 行

Python 15f · 3769L Markdown 2f · 530L

├─ ▾ 📁 adapters

│ ├─ 🐍 __init__.py Python 0 B

│ ├─ 🐍 base.py Python 94L · 3.1 KB

│ ├─ 🐍 nanoclaw.py Python 255L · 9.3 KB

│ └─ 🐍 openclaw.py Python 118L · 3.8 KB

├─ ▾ 📁 nostr_primitives

│ ├─ 🐍 __init__.py Python 0 B

│ ├─ 🐍 dm.py Python 280L · 9.7 KB

│ ├─ 🐍 events.py Python 237L · 7.5 KB

│ ├─ 🐍 keygen.py Python 188L · 5.4 KB

│ └─ 🐍 relay.py Python 109L · 3.6 KB

├─ 🐍 __init__.py Python 27L · 817 B

├─ 🐍 citizenship.py Python 247L · 9.3 KB

├─ 🐍 constitution.py Python 216L · 8.6 KB

├─ 🐍 dm_listener.py Python 590L · 23.6 KB

├─ 📝 HEARTBEAT.md Markdown 132L · 5.2 KB

├─ 🐍 self_reflection.py Python 481L · 19.5 KB

├─ 📝 SKILL.md Markdown 398L · 15.3 KB

└─ 🐍 skill.py Python 927L · 37.6 KB

依赖分析 3 项

包名	版本	来源	已知漏洞	备注
`requests`	`*`	pip	否	Version not pinned — SKILL.md install section has no version constraint
`websocket-client`	`*`	pip	否	Version not pinned — required for Nostr relay WebSocket communication
`coincurve`	`*`	pip	否	Version not pinned — required for secp256k1 key generation and Schnorr signing

安全亮点

✓ No base64 piping into bash, eval(), atob(), or other code obfuscation patterns detected

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive host paths

✓ No credential harvesting or exfiltration — private keys stay in memory and are only used for local signing

✓ Cryptographic key generation uses os.urandom (CSPRNG) and coincurve (standard secp256k1 library)

✓ Subprocess usage is fully declared in SKILL.md 'Skill Auto-Updates' section — no hidden shell execution

✓ git pull uses --ff-only flag, preventing arbitrary merge commits or rebase manipulation

✓ DM listener uses a documented permission model with guardian approval workflow — no silent DM interception

✓ All external URLs (nanoclaw.dev, clawhub.ai) resolve to legitimate, known project homepages

✓ No direct IP network requests or hardcoded C2 infrastructure indicators

✓ NIP-04 encryption uses standard AES-256-CBC with ECDH shared secret — cryptographically sound

✓ Code is well-structured with clear separation between framework adapters, Nostr primitives, and business logic