Nansen Trading
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could execute a swap, bridge, or order that moves crypto assets before the user has reviewed the final quote, destination, slippage, and fees.
The skill can execute irreversible on-chain trades, and the documented agent pattern collapses quote and execution into one command sequence without requiring a separate explicit user confirmation.
Two-step flow: quote then execute. **Trades are irreversible once on-chain.** ... # Pipe quote ID directly into execute ... nansen trade execute --quote "$quote_id"
Require explicit user confirmation immediately before any `nansen trade execute` or limit-order create/update/cancel command, show the full quote and destination details, and avoid piping quote output directly into execution.
Anyone or any tool path that can use these environment variables may be able to interact with the wallet through the Nansen CLI.
The skill openly requires an API key and wallet password and grants the agent access to run the Nansen CLI, which is expected for trading but gives access to sensitive wallet authority.
requires:\n env:\n - NANSEN_API_KEY\n - NANSEN_WALLET_PASSWORD\n...\nallowed-tools: Bash(nansen:*)
Use a dedicated low-balance trading wallet, protect the wallet password, rotate credentials if exposed, and only install this skill where you trust the agent and CLI package.
A changed or untrusted CLI package could affect wallet handling or trade execution.
The reviewed artifacts contain no code files and rely on an external npm CLI package, so the actual wallet and trading behavior depends on code not included in the skill review.
Source: unknown; Homepage: none; Install specifications: node | package: nansen-cli | creates binaries: nansen
Verify the `nansen-cli` package provenance and version before installation, and prefer pinned, trusted releases for any tool that can use wallet credentials.