Is it possible for a malicious site to ask the nostr key extensions to sign a message that would reveal your key (thinking like a blank string) or is that prevented if it's even an issue?