ClawHub
Back to skill
v1.0.0

Nansen Mpp Payment

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 1:41 PM.

Analysis

The skill matches its paid Nansen API purpose, but it uses a funded Tempo wallet, broad payment-capable CLI access, and a remote installer without clear spending or approval limits.

GuidanceInstall only if you trust the Tempo installer and understand that this involves a funded payment wallet. Use a dedicated low-balance wallet, verify the Tempo CLI through official channels, and require explicit confirmation and a spending cap before any paid API request.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
SKILL.md
allowed-tools: Bash(tempo:*), Bash(nansen:*)

The skill grants broad CLI access to both Tempo and Nansen even though the described workflow mainly needs paid `tempo request` calls and limited `nansen schema` lookup; combined with payment-capable commands, this lacks clear approval and spending boundaries.

User impactThe agent could invoke payment-capable or wallet-related Tempo commands more broadly than the user intended, potentially causing unwanted spending or account changes.
RecommendationRestrict tool access to the minimum commands needed, require explicit user confirmation before any paid request or wallet operation, and set a clear per-call or per-session spend limit.
Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusConcern
SKILL.md
curl -fsSL https://tempo.xyz/install | bash

The skill recommends installing a required external CLI by piping a remote script directly into a shell, with no pinned version, checksum, signature verification, or managed install spec.

User impactIf the remote installer or its delivery path is compromised or changes unexpectedly, the user could run unintended code on their machine.
RecommendationPrefer a verified package manager or release artifact, pin a version, verify checksums/signatures, and document the exact trusted source.
Unexpected Code Execution
SeverityMediumConfidenceHighStatusConcern
SKILL.md
curl -fsSL https://tempo.xyz/install | bash

This is an install-to-run flow that executes downloaded shell code. It is purpose-related, but it executes code beyond the instruction-only skill itself and is not bounded by an integrity check.

User impactThe user may execute installer code that can modify the local environment before they have independently verified it.
RecommendationDo not pipe installers directly to a shell; download, inspect, verify, and run a pinned installer only from a trusted source.
Human-Agent Trust Exploitation
SeverityMediumConfidenceMediumStatusConcern
SKILL.md
Use when a user wants anonymous Nansen access without an API key and without managing their own Base/Solana wallet

The wording emphasizes anonymity, but the same instructions require Tempo wallet login and funding; the skill does not clarify what anonymity means or what account/payment metadata Tempo may observe.

User impactUsers may overestimate the privacy of the workflow and assume it is fully anonymous when it still depends on a logged-in, funded payment provider.
RecommendationClarify that this is API-keyless or potentially anonymous to Nansen only, and disclose any Tempo account, wallet, payment, or request metadata considerations.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityHighConfidenceHighStatusConcern
SKILL.md
# 2. Log in (creates / unlocks the tempo wallet)
tempo wallet login
# 3. Fund it with USDC on the chain tempo selects for your environment
tempo wallet fund

The setup requires access to a Tempo wallet and funding it with USDC, which is sensitive account and financial authority; the instructions do not define limits on who may authorize use, how much may be spent, or how the wallet should be protected.

User impactA logged-in and funded wallet could be used for purchases or account actions outside the user's intended request if not carefully controlled.
RecommendationUse a dedicated low-balance Tempo wallet, confirm each wallet or payment action manually, and document the wallet/session requirement in the credential contract.