ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Nansen Trading

Execute DEX swaps on Solana or Base. Use when buying or selling a token, getting a swap quote, or executing a trade.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 27 · 0 current installs · 0 all-time installs
byNansen AI@nansen-devops
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (DEX swaps on Solana/Base) align with required binary (nansen CLI) and required env vars (API key + wallet password). The npm package nansen-cli and GitHub repository are cited in SKILL.md, so the declared dependencies are proportionate to the stated purpose.
!
Instruction Scope
SKILL.md instructs the agent to create a wallet, run quote and execute commands, and to source/persist NANSEN_WALLET_PASSWORD in ~/.nansen/.env. Persisting a wallet password to a file and instructing agents how to load it is a sensitive operational detail and expands the skill's scope to handling secrets/storage policy. The file path (~/.nansen/.env) is used in instructions but was not declared in the registry's required config paths metadata.
Install Mechanism
Install uses the public npm package nansen-cli (creates the nansen binary). npm is a common distribution method for CLIs but is a moderate-risk install source compared with curated package managers; verify the package and its maintainer before running installs.
Credentials
Requested env vars (NANSEN_API_KEY, NANSEN_WALLET_PASSWORD) are reasonable for trading. However, SKILL.md recommends persisting NANSEN_WALLET_PASSWORD in ~/.nansen/.env (plaintext env file) and instructs agents to source it; this increases sensitive data exposure. The metadata did not declare that the skill requires that config path, which is an inconsistency.
Persistence & Privilege
The skill is not always-enabled and does not request special platform privileges. It can be invoked autonomously (default), which is normal for skills; no evidence it modifies other skills or system-wide settings.
Assessment
This skill appears to do what it says (run nansen-cli to get quotes and execute swaps), but you should take precautions before installing: 1) Verify the nansen-cli npm package and its GitHub repository (review code and publisher) to ensure you're installing the legitimate CLI. 2) Avoid storing wallet passwords in plaintext files if possible; prefer using a hardware wallet, ephemeral signing, or a dedicated secure secret store. If you must use NANSEN_WALLET_PASSWORD, restrict file permissions and understand the exposure. 3) Confirm NANSEN_API_KEY has least privilege and revoke it if compromised. 4) Note the registry metadata omission: SKILL.md expects ~/.nansen/.env but the skill metadata does not declare required config paths—ask the publisher to correct metadata or clarify expected file usage. 5) Remember on-chain trades are irreversible; test with small amounts and check quote expiration behavior. If you have low tolerance for secret-file persistence or cannot review the npm package, treat this skill with caution.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk97942abd2hnh9fqeexfv7nnrs8374t3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnansen
EnvNANSEN_API_KEY, NANSEN_WALLET_PASSWORD
Primary envNANSEN_API_KEY

Install

Node
Bins: nansen
npm i -g nansen-cli

SKILL.md

Trade

Two-step flow: quote then execute. Trades are irreversible once on-chain.

Prerequisite: You need a wallet first. Run nansen wallet create before trading.

Quote

nansen trade quote \
  --chain solana \
  --from SOL \
  --to USDC \
  --amount 1000000000

Symbols resolve automatically: SOL, ETH, USDC, USDT, WETH. Raw addresses also work.

Execute

nansen trade execute --quote <quote-id>

Agent pattern

# Pipe quote ID directly into execute
quote_id=$(nansen trade quote --chain solana --from SOL --to USDC --amount 1000000000 2>&1 | grep "Quote ID:" | awk '{print $NF}')
nansen trade execute --quote "$quote_id"

Common Token Addresses

TokenChainAddress
SOLSolanaSo11111111111111111111111111111111111111112
USDCSolanaEPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v
ETHBase0xeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
USDCBase0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913

Amounts are in base units

TokenDecimals1 token =
SOL91000000000
ETH181000000000000000000
USDC61000000

Flags

FlagPurpose
--chainsolana or base
--fromSource token (symbol or address)
--toDestination token (symbol or address)
--amountAmount in base units (integer)
--walletWallet name (default: default wallet)
--slippageSlippage tolerance as decimal (e.g. 0.03)
--quoteQuote ID for execute
--no-simulateSkip pre-broadcast simulation

Environment Variables

VarPurpose
NANSEN_WALLET_PASSWORDRequired for trade execute. Wallet encryption password — persisted in ~/.nansen/.env. Source before executing: source ~/.nansen/.env && nansen trade execute ...
NANSEN_API_KEYAPI key (also set via nansen login)

Agents: Never hold a wallet password only in session memory. If NANSEN_WALLET_PASSWORD is not in ~/.nansen/.env, follow the setup flow in the nansen-wallet-manager skill Password Policy to generate and persist one before proceeding.

Notes

  • Quotes expire after ~1 hour. If execute fails, get a fresh quote.
  • A wallet is required even for quotes (the API builds sender-specific transactions).
  • ERC-20 swaps may require an approval step — execute handles this automatically.

Source

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…