← 返回 Skills 市场
105
总下载
0
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install sigil-nostr
功能描述
Nostr P2P messaging gateway for AI agents. Send and receive E2E encrypted messages via the Nostr protocol. Enables your agent to be reachable from Sigil Mess...
安全使用建议
This skill appears to do what it says (a Nostr bridge), but exercise caution before installing. Key points:
- Do not run the Node bridge in 'hermes' mode unless you trust all senders: the bridge constructs a shell command from incoming messages and only escapes quotes, which allows command substitution/injection.
- Prefer the Rust hermes_bridge example (recommended by the author) for production; the Node script is documented as a reference implementation.
- The skill will create and store private keys at ~/.sigil/*.key and an access JSON; ensure you understand and protect those files (use passphrase encryption if supported).
- The SKILL.md recommends running cargo install from a GitHub repo — verify the repo and review its code before building.
- If you want to use this, run it in a restricted environment (container or VM), review/patch the execSync call to avoid shell interpolation (use child_process.execFile or pass args as an array), and ensure a strict whitelist for authorized npubs.
能力评估
Purpose & Capability
The skill's name/description (Nostr P2P gateway for AI agents) aligns with the included SKILL.md and bridge.js which create keys, talk to relays, and forward messages. It legitimately needs to read/write ~/.sigil and call sigil-cli/cargo for key generation. Minor inconsistency: the runtime references environment variables (SIGIL_RELAY, SIGIL_AGENT, SIGIL_MODE, SIGIL_OWNER) but the registry metadata lists no required env vars.
Instruction Scope
The SKILL.md and bridge.js instruct the agent to create persistent key files (~/.sigil/*.key and access.json) and to forward incoming DMs to the agent. However the Node bridge uses execSync to run external CLIs with content derived from incoming messages (hermes chat -q "<message>"). The code only escapes double quotes and invokes a shell; command-substitution/expansion (e.g. $(...), `...`, $VAR) can still be interpreted by the shell, so an attacker-supplied message could cause arbitrary command execution when the bridge is run in hermes mode. The instructions don't mention this injection risk or mitigate it.
Install Mechanism
There is no formal install spec (instruction-only skill). The SKILL.md asks users to run cargo install from a GitHub repo which is a common but non-trivial operation (building and running code fetched from upstream). This is a moderate-risk action because it builds and installs third-party code from a repository; the Node bridge itself does not auto-install extra packages.
Credentials
No credentials are requested in the registry metadata, and the skill does not request unrelated cloud credentials. It does read/write private key material to ~/.sigil (expected for a messaging bridge). The SKILL.md and bridge.js reference several optional env vars (SIGIL_RELAY, SIGIL_AGENT, SIGIL_MODE, SIGIL_OWNER) but these were not declared in the skill metadata — this mismatch should be documented for users who rely on declared requirements.
Persistence & Privilege
The bridge creates persistent files in the user's home (~/.sigil/*.key and access.json) which is consistent with its purpose. However, combined with the execSync usage, this creates a higher blast radius: if the agent or bridge autonomously processes incoming messages (the skill is user-invocable and model-invocation is enabled by default), a crafted message could trigger command execution on the host. The skill does not require always:true (good), and it does not modify other skills' configs.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install sigil-nostr - 安装完成后,直接呼叫该 Skill 的名称或使用
/sigil-nostr触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
Added client connection guide: iPhone, CLI, Mac, Damus interop, QR sharing
v0.1.0
Initial release: Nostr P2P messaging skill for OpenClaw and Hermes agents. E2E encrypted, personal/service modes, TUI components.
元数据
常见问题
Sigil Nostr — P2P Encrypted Messaging for AI Agents 是什么?
Nostr P2P messaging gateway for AI agents. Send and receive E2E encrypted messages via the Nostr protocol. Enables your agent to be reachable from Sigil Mess... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 105 次。
如何安装 Sigil Nostr — P2P Encrypted Messaging for AI Agents?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install sigil-nostr」即可一键安装,无需额外配置。
Sigil Nostr — P2P Encrypted Messaging for AI Agents 是免费的吗?
是的,Sigil Nostr — P2P Encrypted Messaging for AI Agents 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Sigil Nostr — P2P Encrypted Messaging for AI Agents 支持哪些平台?
Sigil Nostr — P2P Encrypted Messaging for AI Agents 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Sigil Nostr — P2P Encrypted Messaging for AI Agents?
由 lmanchu(@lmanchu)开发并维护,当前版本 v0.1.1。
推荐 Skills