Replying to Avatar Anthony Accioly

Now coming to Nostr, where folks were already building 100% natty nonsense apps that leaked your credentials even before AI. I can't wait to see what's coming next.

Please folks, if you're going to even attempt to interact with the vibe-coded stuff, make sure to create a separate key and share as little data as possible. Using that fancy NIP-46 Remote Signer with your only key and all-encompassing permissions is about as safe as pasting your nsec directly into the app.

PS: This is not limited to clients. Be very careful with what relays you add to your Outbox, and think twice before clicking that big, beautiful Auth button. Same for NWC stuff.

#VibeCodersWillBeVibecoding #StaySafe
Avatar
Matt 7mo ago

All of this is a potential problem with any app, which is why I've never liked how Nostr keys work. We should be able to generate sub keys or something for apps. Using a separate key for everything dampens the appeal for me. And it still doesn't solve getting rekt on a particular app.

A hardware signer at least would be nice, but I'm guessing that UX would suck for the social media case. Maybe using it to generate or destroy sub keys?

It also may be unapparent what is vibed and what isn't. Even non-vibed may have shit security. That's why I favor a deeper solution. Maybe it isn't possible. I have no idea.

I think nostr:nprofile1qqsyawyrzrttfmv4cmtx5w2m85702kdct7hv3amfrkhagpdf9cz46mgprpmhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef0qyghwumn8ghj7mn0wd68ytnhd9hx2tcpydmhxue69uhkv6tvw3jhytnwdaehgu3wwa5kuef08ankcmmzv9kr6ctvds20l3q3 and I have notes discussing this somewhere.

Reply to this note

Please Login to reply.

Discussion

No replies yet.