nansen-wallet-keychain-migration
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive local files containing wallet credentials, specifically ~/.nansen/.env and ~/.nansen/wallets/.credentials.
- [COMMAND_EXECUTION]: The skill executes nansen wallet export default, which prints unencrypted private keys to the output. This is used to verify that a password migration was successful but exposes highly sensitive cryptographic secrets to the agent's session history and context.
- [REMOTE_CODE_EXECUTION]: The migration logic employs the source command on the ~/.nansen/.env file. This shell builtin executes the contents of the file in the current process environment. If the file were to be tampered with to include malicious bash commands instead of environment variables, those commands would be executed with the user's privileges.
Audit Metadata