nak

HIGH W007: Insecure credential handling detected in skill instructions.

• Insecure credential handling detected (high risk: 1.00). The prompt includes multiple examples that pass private keys directly on the command line or via substitution/tee (e.g., --sec , --sec $(cat /path/to/key.txt), nak key generate | tee secret.key) which require the agent to include secret values verbatim in generated commands, creating exfiltration risk.

CRITICAL E005: Suspicious download URL detected in skill instructions.

• Suspicious download URL detected (high risk: 0.70). The links point to a public GitHub repo (fiatjaf/nak) and its raw install.sh — the repo appears legitimate but piping a raw shell script from raw.githubusercontent.com to sh is inherently risky (it will execute arbitrary commands and could be dangerous if the script or account is compromised), so review the script before running.

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 1.00). The skill instructs the agent to fetch and stream posts/events from public Nostr relays (e.g., using commands like nak req, nak fetch, nak req --stream against relays such as relay.primal.net, eclipse.pub, ditto.pub), which are open/public, user-generated, untrusted content that the agent will read and interpret.