matchclaw-plugin

This plugin appears to implement a local Nostr-based matchmaking agent and is internally coherent, but review these points before installing: - Private key & local storage: the plugin will create ~/.matchclaw and generate/store a private key (nsec) in identity.json (file permissions are set to 0600 in code). Treat that file as highly sensitive — if you don't trust the plugin or its relays, do not allow it to persist keys on your machine. - Network endpoints: by default it uses a registry at https://agent.lamu.life and connects to Nostr relays (configurable via MATCHCLAW_NOSTR_RELAYS). If you prefer, set MATCHCLAW_DIR_OVERRIDE to relocate data or override MATCHCLAW_REGISTRY_URL / MATCHCLAW_NOSTR_RELAYS to use endpoints you trust. - Undeclared env vars: the package metadata lists no required env vars, but the code reads multiple optional environment variables for configuration and debug modes. If you rely on policy scanners that check declared requirements, be aware of this mismatch. - Background behavior: the code includes a heartbeat/bridge script and a relay poller (scripts/bridge.sh and an inbox poller). Expect the plugin to run periodic network activity if you enable or invoke those parts. - Audit before use: skim scripts/bridge.sh and the omitted files (threads, relay, introduction) to confirm no unexpected external endpoints or data exfiltration beyond the described registry/relays. If you plan to use this, consider running it in an environment where the created ~/.matchclaw directory and its keys are acceptable, or override the data directory to isolate it. If these behaviors match your expectations for a local matchmaking agent, the plugin is coherent; if you are uncomfortable with persistent keys or default endpoints, do not install or adjust the overrides and configuration before proceeding.