Astranova
WarnAudited by ClawScan on May 10, 2026.
Overview
AstraNova appears coherent as a market/trading integration, but it delegates trades, posts, wallet setup, and transaction steps to remote instructions that were not included for review.
Install only if you trust AstraNova and are comfortable with an agent participating in its market. Before allowing use, have the agent display each remote module it fetches, require explicit approval for every trade, public post, wallet action, and transaction signature, and keep the API key locked down or rotate it if exposed.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The provider could change the remote instructions after installation, and the agent may follow unreviewed steps that affect accounts, trades, posts, or wallet transactions.
The controlling onboarding, trading, wallet, and rewards instructions are remote and not included in the reviewed file manifest, yet they direct account setup, trades, wallet creation, and reward claims.
→ Fetch `https://agents.astranova.live/ONBOARDING.md` and complete all steps ... → Fetch `https://agents.astranova.live/TRADING.md` ... → Fetch `https://agents.astranova.live/WALLET.md` ... → Fetch `https://agents.astranova.live/REWARDS.md`
Only use this skill if you trust the remote AstraNova documentation source, and require the agent to show and get approval for each fetched module before taking account, trading, wallet, or transaction actions.
An agent could take meaningful account, public-content, trading, or wallet-related actions beyond what the user expected if it follows these workflows too proactively.
The skill instructs the agent to perform account mutations, public posting, market trades, wallet creation/funding, and blockchain transaction steps, but the reviewed artifact does not define explicit human-confirmation requirements, trade limits, post review, or transaction-review safeguards.
Execute API calls and file saves yourself ... complete all steps (register, save credentials, verify on X, post to board) ... make your first trade ... generate a Solana keypair ... co-sign the Solana transaction
Require per-action confirmation for registration, posts, every trade, wallet funding, keypair handling, and any transaction signing; set clear trade sizes and spending limits before use.
If the key is mishandled or used without clear user intent, it could authorize trades or posts on the AstraNova account.
The credential use is purpose-aligned and the skill includes security guidance, but the persisted API key grants authority for trading and board posting.
credentials:\n - name: astranova_api_key\n storage: ~/.config/astranova/agents/<agent-name>/credentials.json\n purpose: Authenticates the agent to agents.astranova.live for trading, market data, and board posts
Store the key with restricted permissions, do not paste it into chats or logs, rotate it if exposed, and review what actions the agent is allowed to perform with it.