← 返回 Skills 市场
1697
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install archon-nostr
功能描述
Derive Nostr identity (npub/nsec) from Archon DID. Use when unifying DID and Nostr identities so both use the same secp256k1 key. Requires existing Archon wallet with ARCHON_PASSPHRASE set.
使用说明 (SKILL.md)
Archon Nostr Identity
Derive your Nostr keypair from your Archon DID's secp256k1 verification key. Same key, two protocols.
Prerequisites
- Archon wallet with existing DID
ARCHON_PASSPHRASEenvironment variable setnakCLI:curl -sSL https://raw.githubusercontent.com/fiatjaf/nak/master/install.sh | sh
Derive Keys
Run the derivation script:
./scripts/derive-nostr.sh
This outputs your nsec, npub, and hex pubkey derived from m/44'/0'/0'/0/0.
Save Keys
mkdir -p ~/.clawstr
# Save the nsec output from above
echo "nsec1..." > ~/.clawstr/secret.key
chmod 600 ~/.clawstr/secret.key
Update DID Document
Add Nostr identity for discoverability:
npx @didcid/keymaster set-property YourIdName nostr \
'{"npub":"npub1...","pubkey":"\x3Chex-pubkey>"}'
Create Nostr Profile
echo '{
"kind": 0,
"content": "{\"name\":\"YourName\",\"about\":\"Your bio. DID: did:cid:...\"}"
}' | nak event --sec $(cat ~/.clawstr/secret.key) \
wss://relay.ditto.pub wss://relay.primal.net wss://relay.damus.io wss://nos.lol
Verify Unification
The DID's JWK x coordinate (base64url) decodes to the same hex as your Nostr pubkey:
npx @didcid/keymaster resolve-id | jq -r '.didDocument.verificationMethod[0].publicKeyJwk.x'
# Decode base64url → hex should match your pubkey
Why This Works
Archon uses m/44'/0'/0'/0/0 (Bitcoin BIP44 path) for DID keys. Nostr uses raw secp256k1. Same curve, same key — just different encodings.
安全使用建议
This skill appears to perform the advertised job (derive a Nostr key from an Archon DID) but has several red flags you should consider before installing or running it: 1) Metadata is incomplete — the skill actually requires ARCHON_PASSPHRASE and node/npx/npm, but these are not declared. Expect the script to access your wallet mnemonic. 2) The SKILL.md recommends installing 'nak' by piping a remote script (curl | sh). Avoid running remote install scripts without review. 3) The included script runs `npm install` in /tmp, fetching packages at runtime; verify the exact packages and consider running in an isolated environment. 4) The script obtains your mnemonic via `npx @didcid/keymaster show-mnemonic` and embeds it into a node heredoc to derive keys — treat this as handling of the most sensitive secret you own. 5) The skill instructs you to store the derived private key on disk and to publish profile events to public Nostr relays; ensure you trust the relays and secure the stored key (correct file permissions, hardware wallet if possible). Recommended actions: inspect and audit the remote install script and the npm packages, run the derivation in an isolated or disposable environment first, ensure metadata is corrected to list required env vars and binaries, and consider deriving keys with an air-gapped or offline flow if you want maximum safety.
功能分析
Type: OpenClaw Skill
Name: archon-nostr
Version: 0.1.0
The skill is classified as suspicious primarily due to the `curl -sSL ... | sh` command in `SKILL.md` for installing the `nak` CLI, which executes arbitrary remote code and introduces a significant supply chain risk. Additionally, the `scripts/derive-nostr.sh` script handles highly sensitive `ARCHON_PASSPHRASE` and mnemonic data, embedding the mnemonic directly into an inline Node.js script for key derivation, and instructs the agent to save the derived private key (`nsec`) locally. While the stated purpose of deriving Nostr keys is clear, these methods involve high-risk operations and insecure practices.
能力评估
Purpose & Capability
The skill claims to derive Nostr keys from an Archon DID which legitimately requires access to the wallet mnemonic/seed and tools to derive keys. However the skill metadata lists no required env vars or binaries while SKILL.md and the script require ARCHON_PASSPHRASE, node/npx/npm, and the nak CLI. This metadata omission is incoherent and can mislead users about what will actually be accessed.
Instruction Scope
The SKILL.md and script explicitly retrieve the wallet mnemonic (via `npx @didcid/keymaster show-mnemonic`), derive private keys, write a local secret file (~/.clawstr/secret.key) and publish a Nostr profile to external relays. These actions are within the stated purpose but involve sensitive operations (reading the mnemonic, creating/storing a private key, and sending events to remote relays). The instructions also recommend installing nak via a curl|sh command which executes remote code.
Install Mechanism
There is no declared install spec, but the README instructs users to run a curl | sh installer for the 'nak' CLI (raw.githubusercontent.com URL). The included script itself runs `npm install` in /tmp to fetch bip39/@scure/bip32/secp256k1/bech32 — installing remote packages at runtime. Both the curl|sh step and on-demand npm installs are higher-risk behaviors and should be made explicit and audited.
Credentials
The skill operates on highly sensitive data: it requires the Archon wallet mnemonic (implied by SKILL.md's ARCHON_PASSPHRASE) and produces/stores the derived private key. Yet the registry metadata lists no required environment variables or primary credential. That omission is disproportionate and misleading. Requesting and handling the mnemonic is necessary for the feature, but it should be declared and justified in metadata and documented with hygiene recommendations.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and does not persist code as part of an install spec. It does instruct the user to save a secret to ~/.clawstr/secret.key (user-side persistence), which is expected for this feature but should be done with care.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install archon-nostr - 安装完成后,直接呼叫该 Skill 的名称或使用
/archon-nostr触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
archon-nostr 0.1.0 – Initial release
- Derive a Nostr keypair (npub/nsec) directly from your Archon DID secp256k1 key, unifying Nostr and Archon identities.
- Requires an existing Archon wallet and `ARCHON_PASSPHRASE`.
- Provides scripts and instructions for key derivation, key storage, updating DID documents, and creating a Nostr profile.
- Ensures your Archon DID verification key and Nostr pubkey are cryptographically identical (just different formats).
元数据
常见问题
Archon Nostr 是什么?
Derive Nostr identity (npub/nsec) from Archon DID. Use when unifying DID and Nostr identities so both use the same secp256k1 key. Requires existing Archon wallet with ARCHON_PASSPHRASE set. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 1697 次。
如何安装 Archon Nostr?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install archon-nostr」即可一键安装,无需额外配置。
Archon Nostr 是免费的吗?
是的,Archon Nostr 完全免费(开源免费),可自由下载、安装和使用。
Archon Nostr 支持哪些平台?
Archon Nostr 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Archon Nostr?
由 macterra(@macterra)开发并维护,当前版本 v0.1.0。
推荐 Skills