← Back to Skills Marketplace

Archon Nostr

Name: Archon Nostr
Author: macterra

by macterra · GitHub ↗ · v0.1.0

cross-platform ⚠ suspicious

1697

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install archon-nostr

Description

Derive Nostr identity (npub/nsec) from Archon DID. Use when unifying DID and Nostr identities so both use the same secp256k1 key. Requires existing Archon wallet with ARCHON_PASSPHRASE set.

README (SKILL.md)

Archon Nostr Identity

Derive your Nostr keypair from your Archon DID's secp256k1 verification key. Same key, two protocols.

Prerequisites

Archon wallet with existing DID
ARCHON_PASSPHRASE environment variable set
nak CLI: curl -sSL https://raw.githubusercontent.com/fiatjaf/nak/master/install.sh | sh

Derive Keys

Run the derivation script:

./scripts/derive-nostr.sh

This outputs your nsec, npub, and hex pubkey derived from m/44'/0'/0'/0/0.

Save Keys

mkdir -p ~/.clawstr
# Save the nsec output from above
echo "nsec1..." > ~/.clawstr/secret.key
chmod 600 ~/.clawstr/secret.key

Update DID Document

Add Nostr identity for discoverability:

npx @didcid/keymaster set-property YourIdName nostr \
  '{"npub":"npub1...","pubkey":"\x3Chex-pubkey>"}'

Create Nostr Profile

echo '{
  "kind": 0,
  "content": "{\"name\":\"YourName\",\"about\":\"Your bio. DID: did:cid:...\"}"
}' | nak event --sec $(cat ~/.clawstr/secret.key) \
  wss://relay.ditto.pub wss://relay.primal.net wss://relay.damus.io wss://nos.lol

Verify Unification

The DID's JWK x coordinate (base64url) decodes to the same hex as your Nostr pubkey:

npx @didcid/keymaster resolve-id | jq -r '.didDocument.verificationMethod[0].publicKeyJwk.x'
# Decode base64url → hex should match your pubkey

Why This Works

Archon uses m/44'/0'/0'/0/0 (Bitcoin BIP44 path) for DID keys. Nostr uses raw secp256k1. Same curve, same key — just different encodings.

Usage Guidance

This skill appears to perform the advertised job (derive a Nostr key from an Archon DID) but has several red flags you should consider before installing or running it: 1) Metadata is incomplete — the skill actually requires ARCHON_PASSPHRASE and node/npx/npm, but these are not declared. Expect the script to access your wallet mnemonic. 2) The SKILL.md recommends installing 'nak' by piping a remote script (curl | sh). Avoid running remote install scripts without review. 3) The included script runs `npm install` in /tmp, fetching packages at runtime; verify the exact packages and consider running in an isolated environment. 4) The script obtains your mnemonic via `npx @didcid/keymaster show-mnemonic` and embeds it into a node heredoc to derive keys — treat this as handling of the most sensitive secret you own. 5) The skill instructs you to store the derived private key on disk and to publish profile events to public Nostr relays; ensure you trust the relays and secure the stored key (correct file permissions, hardware wallet if possible). Recommended actions: inspect and audit the remote install script and the npm packages, run the derivation in an isolated or disposable environment first, ensure metadata is corrected to list required env vars and binaries, and consider deriving keys with an air-gapped or offline flow if you want maximum safety.

Capability Analysis

Type: OpenClaw Skill Name: archon-nostr Version: 0.1.0 The skill is classified as suspicious primarily due to the `curl -sSL ... | sh` command in `SKILL.md` for installing the `nak` CLI, which executes arbitrary remote code and introduces a significant supply chain risk. Additionally, the `scripts/derive-nostr.sh` script handles highly sensitive `ARCHON_PASSPHRASE` and mnemonic data, embedding the mnemonic directly into an inline Node.js script for key derivation, and instructs the agent to save the derived private key (`nsec`) locally. While the stated purpose of deriving Nostr keys is clear, these methods involve high-risk operations and insecure practices.

Capability Assessment

⚠ Purpose & Capability

The skill claims to derive Nostr keys from an Archon DID which legitimately requires access to the wallet mnemonic/seed and tools to derive keys. However the skill metadata lists no required env vars or binaries while SKILL.md and the script require ARCHON_PASSPHRASE, node/npx/npm, and the nak CLI. This metadata omission is incoherent and can mislead users about what will actually be accessed.

ℹ Instruction Scope

The SKILL.md and script explicitly retrieve the wallet mnemonic (via `npx @didcid/keymaster show-mnemonic`), derive private keys, write a local secret file (~/.clawstr/secret.key) and publish a Nostr profile to external relays. These actions are within the stated purpose but involve sensitive operations (reading the mnemonic, creating/storing a private key, and sending events to remote relays). The instructions also recommend installing nak via a curl|sh command which executes remote code.

⚠ Install Mechanism

There is no declared install spec, but the README instructs users to run a curl | sh installer for the 'nak' CLI (raw.githubusercontent.com URL). The included script itself runs `npm install` in /tmp to fetch bip39/@scure/bip32/secp256k1/bech32 — installing remote packages at runtime. Both the curl|sh step and on-demand npm installs are higher-risk behaviors and should be made explicit and audited.

⚠ Credentials

The skill operates on highly sensitive data: it requires the Archon wallet mnemonic (implied by SKILL.md's ARCHON_PASSPHRASE) and produces/stores the derived private key. Yet the registry metadata lists no required environment variables or primary credential. That omission is disproportionate and misleading. Requesting and handling the mnemonic is necessary for the feature, but it should be declared and justified in metadata and documented with hygiene recommendations.

✓ Persistence & Privilege

The skill does not request always:true, does not modify other skills, and does not persist code as part of an install spec. It does instruct the user to save a secret to ~/.clawstr/secret.key (user-side persistence), which is expected for this feature but should be done with care.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install archon-nostr
After installation, invoke the skill by name or use /archon-nostr
Provide required inputs per the skill's parameter spec and get structured output

Version History

v0.1.0

archon-nostr 0.1.0 – Initial release - Derive a Nostr keypair (npub/nsec) directly from your Archon DID secp256k1 key, unifying Nostr and Archon identities. - Requires an existing Archon wallet and `ARCHON_PASSPHRASE`. - Provides scripts and instructions for key derivation, key storage, updating DID documents, and creating a Nostr profile. - Ensures your Archon DID verification key and Nostr pubkey are cryptographically identical (just different formats).

Metadata

Slug archon-nostr

Version 0.1.0

License —

All-time Installs 1

Active Installs 1

Total Versions 1

Frequently Asked Questions

What is Archon Nostr?

Derive Nostr identity (npub/nsec) from Archon DID. Use when unifying DID and Nostr identities so both use the same secp256k1 key. Requires existing Archon wallet with ARCHON_PASSPHRASE set. It is an AI Agent Skill for Claude Code / OpenClaw, with 1697 downloads so far.

How do I install Archon Nostr?

Run "/install archon-nostr" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Archon Nostr free?

Yes, Archon Nostr is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Archon Nostr support?

Archon Nostr is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Archon Nostr?

It is built and maintained by macterra (@macterra); the current version is v0.1.0.

More Skills