How soon until we see a malicious #nostr app/browser extension? As it saves the nsec/npub to local storage it also sends it to the dev's api. 

Or, a stored xss on a fav web client that has visitors blast spam kind 1 notes without them knowing as they have their signer set to always authorize.

I wouldn't doubt these scenarios will eventually occur if/as nostr grows. Stay vigilant.