Nansen Trading
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is purpose-built for crypto trading, but it can use wallet credentials to execute irreversible trades and includes an automated quote-to-execute pattern without an explicit human confirmation step.
Install only if you trust Nansen and the `nansen-cli` package. Use a dedicated wallet with limited funds, review every quote, destination address, fee, and slippage value, and require explicit confirmation before any execute, bridge, or limit-order action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could execute a swap, bridge, or order that moves crypto assets before the user has reviewed the final quote, destination, slippage, and fees.
The skill can execute irreversible on-chain trades, and the documented agent pattern collapses quote and execution into one command sequence without requiring a separate explicit user confirmation.
Two-step flow: quote then execute. **Trades are irreversible once on-chain.** ... # Pipe quote ID directly into execute ... nansen trade execute --quote "$quote_id"
Require explicit user confirmation immediately before any `nansen trade execute` or limit-order create/update/cancel command, show the full quote and destination details, and avoid piping quote output directly into execution.
Anyone or any tool path that can use these environment variables may be able to interact with the wallet through the Nansen CLI.
The skill openly requires an API key and wallet password and grants the agent access to run the Nansen CLI, which is expected for trading but gives access to sensitive wallet authority.
requires:\n env:\n - NANSEN_API_KEY\n - NANSEN_WALLET_PASSWORD\n...\nallowed-tools: Bash(nansen:*)
Use a dedicated low-balance trading wallet, protect the wallet password, rotate credentials if exposed, and only install this skill where you trust the agent and CLI package.
A changed or untrusted CLI package could affect wallet handling or trade execution.
The reviewed artifacts contain no code files and rely on an external npm CLI package, so the actual wallet and trading behavior depends on code not included in the skill review.
Source: unknown; Homepage: none; Install specifications: node | package: nansen-cli | creates binaries: nansen
Verify the `nansen-cli` package provenance and version before installation, and prefer pinned, trusted releases for any tool that can use wallet credentials.