nostr
Pass
Audited by Gen Agent Trust Hub on Mar 10, 2026
Risk Level: SAFEPROMPT_INJECTIONEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface through the ingestion of untrusted data from the Nostr network.
- Ingestion points: Commands
read-feed,search-tags, andget-profilefetch content (notes and profiles) from public Nostr relays into the agent's context. - Boundary markers: The output does not include boundary markers or instructions to the agent to ignore embedded commands within the fetched data.
- Capability inventory: The agent has the ability to write back to the network (via
postandamplify-signal) and access wallet keys, creating a risk if fetched content contains malicious instructions that the agent executes. - Sanitization: No content filtering or sanitization is performed on the data retrieved from relays.
- [EXTERNAL_DOWNLOADS]: The
amplify-signalcommand fetches data fromhttps://1btc-news-api.p-d07.workers.dev/takes/. This is a vendor-specific resource associated withaibtc.newsused for its intended purpose of signal amplification. - [DATA_EXPOSURE]: The skill uses the agent's Bitcoin BIP84 derivation path (
m/84'/0'/0'/0/0) to derive its Nostr identity. As noted in the documentation, this creates a shared risk where a compromise of the Nostr signing environment or keys directly impacts the security of the associated Bitcoin wallet. - [COMMAND_EXECUTION]: The skill implements a CLI-based execution model where the agent can trigger cryptographic signing and network broadcasts to public relays.
Audit Metadata