nak

[Skill Scanner] Pipe-to-shell or eval pattern detected All findings: [CRITICAL] command_injection: Pipe-to-shell or eval pattern detected (CI013) [AITech 9.1.4] [CRITICAL] command_injection: URL pointing to executable file detected (CI010) [AITech 9.1.4] [HIGH] command_injection: Reference to external script with install/setup context (SC005) This document describes a legitimate Nostr CLI's features and examples; its capabilities are aligned with the stated purpose. However, multiple usage examples and the installation instruction present operational security risks: curl|sh install from raw GitHub, passing secret keys via CLI flags or writing them unprotected to disk, and use of remote signing (bunker://) without explicit safety details. These patterns can lead to credential exposure or allow third-party signers to sign on the user's behalf. There is no evidence of malicious code in the provided documentation, but the documentation encourages patterns that can facilitate credential leakage if developers follow the examples without caution. Recommend: avoid passing private keys on CLI args, prefer secure key storage, provide install verification (checksums/signatures) or packaged installers, and add warnings about trusting remote signing endpoints. LLM verification: The provided SKILL.md documents a legitimate CLI tool for interacting with the Nostr protocol; functionality described aligns with expectations for such a tool. The primary security concern is the recommended pipe-to-shell installation (curl ... | sh) from a raw GitHub URL with no integrity verification — this is a supply-chain risk and should be avoided or accompanied by signature/checksum verification. Features that handle private keys and remote signing expand the trust boundary and must be u