Nansen Wallet Keychain Migration
WarnAudited by ClawScan on May 10, 2026.
Overview
The migration goal is legitimate, but the instructions tell the agent to export wallet private keys for verification and to source a local env file, which can expose secrets or run unintended commands.
Use this skill only if you trust the Nansen CLI and understand the wallet risk. Before running it, avoid any step that prints private keys, and prefer a safer verification method that does not reveal key material. Do not let the agent source an env file unless you have inspected it or are comfortable with the possibility that shell content in that file could execute.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your wallet private keys could be revealed to the agent session or logs during a migration check, which could put wallet funds at risk.
The skill requires running a wallet export command that it acknowledges shows private keys. Tool output can enter the agent transcript or logs, exposing credentials that can control wallet funds.
nansen wallet export default 2>&1 ... If export succeeds (shows private keys), the migration worked ... ALWAYS verify after migration with `nansen wallet export default`
Do not export private keys as a routine verification step. Use a non-secret health check, discard stdout while checking only the exit status, or require explicit user approval with clear warning before any private-key export.
A modified or malformed `~/.nansen/.env` file could cause commands to run on your machine when the migration is attempted.
Sourcing an env file executes shell content from that file. If the file contains anything beyond simple variable assignments, the migration command could run unintended local commands.
source ~/.nansen/.env 2>/dev/null && nansen wallet secure
Avoid `source` for credential loading. Safely parse only the expected `NANSEN_WALLET_PASSWORD` value, or ask the user to provide the password directly for the one migration command.
You are relying on the installed `nansen-cli` package and its npm supply chain for wallet operations.
The package install is expected for this CLI-based skill, but the registry metadata does not provide a source repository or homepage for provenance review.
node | package: nansen-cli | creates binaries: nansen; Source: unknown; Homepage: none
Install only from the official Nansen CLI source you trust, and verify the package identity/version before using it with wallet credentials.