applesauce-signers

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 0.80). The skill includes code paths that accept and pass secret keys directly (e.g., SimpleSigner(secretKey), parsing 'secret' from nostrconnect/bunker URLs, reading 'nsec' from user input or localStorage) which would require handling and possibly embedding secret values verbatim when generating code or commands.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). This skill uses NIP-46 / Nostr Connect remote signing (Nip46Signer.connect) and parses/accepts nostrconnect:// and bunker:// URLs and relay lists (parseNostrConnectUrl, parseBunkerUrl, relays like wss://relay.example.com), which involve connecting to public Nostr relays and remote signers and therefore ingesting untrusted, user-generated third‑party content.