Pluginv2026.3.22

ClawScan security

Nostr · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 23, 2026, 9:58 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The plugin appears to implement the stated Nostr DM functionality, but there are inconsistencies (missing declared env requirements) and a prompt‑injection indicator in the instructions that warrant caution before installing.
Guidance: What to check before installing: - Metadata vs. docs: The package metadata does not declare any required environment variables, but the README and runtime expect you to provide a Nostr private key (NOSTR_PRIVATE_KEY). Confirm how you will supply and store that key (env var, not committed to config) and prefer a dedicated key with minimal access. - Config write access: The plugin can update the gateway config/profile via runtime.config.writeConfigFile and exposes a /api/channels/nostr HTTP route (auth: gateway). Ensure only trusted local/gateway callers can reach that route and that your gateway enforces proper authentication. - Review the code you received: The bundled source appears to use only nostr-tools and standard libraries. If you have doubts, search the source for any hardcoded URLs or unexpected network calls. The default relays are public Nostr relays (wss://relay.damus.io, wss://nos.lol) — expected for Nostr. - Prompt-injection artifact: The SKILL.md contains unicode control characters flagged by the scanner. Open the README in a text editor that can show invisible characters or run a sanity check to ensure there are no hidden instructions or obfuscated payloads. - Run in isolation first: Install and test the plugin in a staging or isolated gateway instance, using a throwaway Nostr key, and run traffic through a local relay (as suggested) to verify behavior before enabling in production. - Least privilege: Use allowlist DM policy in production if you can, and do not embed private keys in committed config files. Consider rotating the key if you later remove the plugin. If you want, I can point you to the exact source locations that read/write the config, register the HTTP route, and that expect the private key so you can review those functions line-by-line.
Findings: [unicode-control-chars] unexpected: The static scan detected unicode control characters in SKILL.md. This looks like a prompt-injection pattern and is not expected for a normal README. It may be benign formatting, but treat it as a warning: inspect the README/skill instructions for hidden characters or suspiciously formatted text before trusting automated processing.

Review Dimensions

Purpose & Capability: noteThe code and README implement a Nostr (NIP-04) channel: sending/receiving encrypted DMs, profile publish/import, and relay management — all consistent with the skill name/description. However, the package metadata declares no required environment variables while the README and runtime expect a private key (NOSTR_PRIVATE_KEY) to be supplied; this is an inconsistency but not necessarily malicious.
Instruction Scope: okSKILL.md instructions are scoped to installing and configuring a Nostr channel (generate keypair, set NOSTR_PRIVATE_KEY, add to OpenClaw config). The instructions do not ask the agent to read arbitrary files or exfiltrate data. The code registers an HTTP handler and can update the channel profile in the gateway config — behavior that matches the documented admin operations.
Install Mechanism: okNo external install script or remote download URLs are present in the manifest. The package has normal npm metadata and dependencies (nostr-tools, zod). The skill bundle contains source files rather than relying on a downloaded binary — no high-risk network install behavior detected.
Credentials: concernThe plugin legitimately needs a Nostr private key to sign/encrypt messages, and the runtime and README instruct the user to set NOSTR_PRIVATE_KEY. However, the registry metadata lists no required env vars or primary credential. That mismatch reduces transparency. Aside from the private key, the plugin does not request unrelated credentials. The code can write the gateway config (updateConfigProfile/writeConfigFile), so the plugin needs permission to modify its own channel config — expected for this feature but worth noting.
Persistence & Privilege: okThe skill is not force-enabled (always: false). It registers an HTTP route with auth: 'gateway' and includes loopback/CSRF guards for profile mutation endpoints. The plugin writes only its own config/profile state; there is no evidence it modifies other skills or escalates privileges.