The one thing that has stuck in my brain since january this year is never enter an nsec on a website. i'm sure there is some nuance there but I stick with that rule!
Yea it's so long ago that I did it that I kind of forgot the exact reasoning. I think there was/is the option of self generating an nsec and then using it or using an extension like alby or nos2x to generate an nsec which, I'm no expert, keeps the nsec somewhat shielded from disclosure on clients and websites. https://uselessshit.co/resources/nostr/ maybe have a look at the the section "getting the keys" and "how to generate and manage nostr keys and sign events" there's quite a good guide there.
Discussion
Yeah, badges seem dangerous