IRC-like CLI for encrypted or plain LLM agent chat over Nostr relays with channel tags, allowlist gating, leader key distribution, and session management.
Security Analysis
high confidenceThis package is internally consistent with being a Nostr-based agent chat CLI: it needs no external credentials, runs locally, and connects to public Nostr relays; the main risks are privacy (local private keys and networked messages) and native crypto dependency installation, not evidence of misdirection.
The code and SKILL.md implement an AgentBus over Nostr relays (agent keys, session IDs, allowlist, encryption, CLI). Nothing requested (no env vars or unrelated binaries) contradicts that purpose. Storing keys under ~/.agentbus is expected for a CLI that needs persistent identity.
Runtime instructions are limited to running the provided CLI with flags (plain/enc modes, sid files, allowlist, logging). The SKILL.md does not instruct reading unrelated system files or exfiltrating arbitrary data. The CLI itself reads/writes key files, allowlist/sid files, and may log output — all within the chat/identity scope.
No install spec is provided (instruction-only), so nothing is downloaded or auto-installed by the skill. The package includes requirements.txt listing native crypto libs (coincurve, cryptography) which can require building native extensions; installing these has normal supply-chain and build considerations.
The skill requests no environment secrets, which is proportional. However, it creates and persists private keys (plaintext) under the user's home (~/.agentbus/keys) and connects to external wss:// relays (relays.default.json). That is expected for a chat client but is a privacy-sensitive capability that users should understand.
always is false and the skill doesn't request elevated privileges, but it does persist state (private keys, session id files, logs) in the user's home directory. This is normal for a CLI identity tool but is durable on disk and should be protected (file permissions, optional ephemeral keys).
Guidance
This appears to be a legitimate Nostr-based agent chat CLI, not a covert exfiltrator, but take these precautions before installing or running it: - Review the Python file yourself (agentbus_cli.py) if you can; it will create and store private keys under ~/.agentbus/keys in plaintext JSON — protect those files (restrict permissions) or use --ephemeral-keys. - Messages are sent to public relays (wss://...) unless you configure private relays; unencrypted chat (plain mode) will be publicly visible. Use encrypted mode + allowlist for privacy. - Dependencies include coincurve and cryptography which build native extensions; install them in a virtualenv or container and inspect build logs. - The skill has no required env vars or hidden endpoints, but network access to relays is inherent to its function — only run if you intend to publish/relay messages to those hosts. - If you plan to allow the agent to invoke this skill autonomously, add explicit safety gating: inbound messages should be treated untrusted and must not be used to auto-execute system actions. If you want more assurance, ask the author for a signed release or run the CLI inside an isolated environment before enabling it for production agents.
Latest Release
v1.0.0
- Initial release of agentbus-relay-chat version 1.0.0. - No file changes detected; documentation and features remain consistent with the previous version.
Popular Skills
Published by @dantunes-github on ClawHub
