Nano (XNO)
SuspiciousAudited by ClawScan on May 12, 2026.
Overview
This Nano wallet skill is purpose-aligned, but it needs review because it can run an external npm wallet tool to sign and broadcast cryptocurrency transactions and includes raw private-key signing guidance without clear approval boundaries.
Install only if you trust the xno-skills npm package and the OWS wallet integration. Do not use @latest or paste private keys into the agent or shell. Before any send, representative change, or block submission, require a clear confirmation showing the wallet, recipient, amount, and action to be broadcast.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could broadcast wallet actions, including fund transfers if a send workflow is invoked, without the user seeing a clear approval boundary in the reviewed artifacts.
The skill grants tools that can sign and broadcast Nano wallet transactions and instructs at least one wallet-mutating action to happen proactively. For irreversible cryptocurrency operations, the provided artifacts should clearly require explicit user confirmation and scope checks.
wallet_send ... They handle signing, PoW, and broadcast automatically via OWS. ... If you see pending funds during any balance check, call wallet_receive immediately. Do not wait for the user to ask.
Require an explicit final confirmation before any send, representative change, prepared-block submission, or other broadcast, including wallet name, recipient, amount, block hash/subtype, and destination address.
If a user pastes a Nano private key into this command, it could be exposed to the agent, shell history, process lists, logs, or an unreviewed runtime package, enabling loss of funds.
The reference documents a signing command that accepts a raw private key on the command line. That is sensitive wallet authority and conflicts with the safer OWS-mediated model described in SKILL.md where the agent should not see private keys.
Usage: cli sign [options] <message> ... -k, --key <hex> Private key in hex
Do not paste wallet private keys into this skill. The publisher should route signing through OWS or a secure prompt, remove raw-key command guidance for wallet keys, and declare credential handling clearly.
A changed, compromised, or wrong npm package version could receive wallet-operation authority even though no package code was included in this review.
The skill is instruction-only but directs runtime execution of an npm package, and its own version guidance is inconsistent. Runtime-fetched wallet tooling is a material supply-chain risk because that package performs signing and broadcasting.
npx -y -p xno-skills@3.2.0 -- mcp ... Always use one of the above forms with @latest
Pin one exact reviewed package version everywhere, avoid @latest/unversioned examples, publish an install spec and provenance details, and make clear that the runtime npm package was not part of the static scan.
Wallet names, balances, account state, and pending-block details may become visible to the agent during Nano tasks.
The MCP integration can expose wallet/account state into the agent context as resources. This is purpose-aligned for a wallet skill, but it is sensitive financial data and should be scoped to trusted wallets and sessions.
MCP Resources (passive reads, no tool call needed): wallet://{name} — wallet summary and primary account state; wallet://{name}/account/{index} — pending blocks and detailsUse this only with a trusted MCP server and wallet store, and avoid exposing wallets or accounts that are not needed for the current task.