Carbium — Solana DeFi Infrastructure

Use Carbium Solana infrastructure for RPC calls, gRPC/Yellowstone real-time streaming, DEX swap quotes and execution (CQ1 engine), and pump.fun token sniping...

MIT-0 · Free to use, modify, and redistribute. No attribution required.

⭐ 3 · 295 · 0 current installs · 0 all-time installs

by@ukkometa

MIT-0

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The SKILL.md describes a Carbium Solana infrastructure integration that legitimately needs two credentials (CARBIUM_RPC_KEY and CARBIUM_API_KEY) and describes RPC/gRPC/swap/snipe capabilities — those capabilities align with the name/description. However the skill registry metadata lists no required environment variables or primary credential, which is inconsistent with the documented runtime requirements. The skill also advertises endpoints and docs but 'Source: unknown' / 'Homepage: none' in the registry is inconsistent with SKILL.md's homepage/docs/repository URLs.

ℹ

Instruction Scope

The instructions are explicit and focused on Solana workflows (example code for JS/Python/Rust, WebSocket subscription, quote/swap flows). They also include a full 'pump.fun sniping' implementation (bonding-curve math, buy/sell instructions) and guidance to use gRPC + raw transactions for pre-graduation tokens. That is within the claimed purpose but represents a high-risk, potentially abusive trading operation — the instructions do not request unrelated system files or credentials but they do enable automated token sniping and MEV-style activity.

✓

Install Mechanism

This is an instruction-only skill with no install spec and no code files for the platform to write to disk. That minimizes supply-chain risk — there is no download or package installation step included.

Credentials

The SKILL.md explicitly requires two environment variables (CARBIUM_RPC_KEY and CARBIUM_API_KEY), which are proportionate to the functionality. But the registry metadata failing to declare these required env vars is a management/metadata inconsistency that can lead to users not realizing they must provide keys. The examples also demonstrate signing transactions locally (wallet key material is needed to execute swaps on-chain), so users must take care not to expose private keys to third parties — the skill itself does not request private keys, but the documented workflow depends on them.

✓

Persistence & Privilege

The skill is not always-enabled and uses normal model-invocation defaults. It does not request persistent system-level privileges, nor does it attempt to modify other skills' configurations. No elevated persistence is requested.

Scan Findings in Context

[no-findings] expected: The regex-based scanner found no code files to analyze; this skill is instruction-only (SKILL.md + reference doc). Absence of findings is expected but not evidence of safety — the SKILL.md itself contains the operational behavior.

What to consider before installing

Before installing: 1) Be aware the SKILL.md requires CARBIUM_RPC_KEY and CARBIUM_API_KEY even though the registry metadata doesn't declare them — confirm where/how you'll store/provide those keys. 2) The skill includes explicit instructions for automated token 'sniping' and MEV-style workflows; these are high-risk, can lead to financial loss, and may violate exchange/platform policies. Only run such code if you trust the provider and understand on-chain risks. 3) Verify the provider (carbium.io, docs, and repository links in the SKILL.md) and the skill author; the registry lists source/homepage as unknown which is a red flag. 4) Never paste or upload your wallet private key; sign transactions locally and use least-privilege credentials where possible. 5) Monitor API key usage and set billing/usage alerts on the Carbium account. If the publisher can confirm the registry metadata and provide an authoritative source repository or package signed releases, that would increase confidence.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1

Download zip

defivk97ctdpphh2ypnw3hmanfwgy5x81syx2grpcvk97ctdpphh2ypnw3hmanfwgy5x81syx2latestvk97ctdpphh2ypnw3hmanfwgy5x81syx2rpcvk97ctdpphh2ypnw3hmanfwgy5x81syx2solanavk97ctdpphh2ypnw3hmanfwgy5x81syx2tradingvk97ctdpphh2ypnw3hmanfwgy5x81syx2web3vk97ctdpphh2ypnw3hmanfwgy5x81syx2

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Carbium Skill

Carbium is full-stack Solana infrastructure — Swiss-engineered, bare-metal, sub-22ms block streaming, no cloud middlemen.

Endpoints at a glance

Product	URL
RPC	`https://rpc.carbium.io/?apiKey=YOUR_RPC_KEY`
gRPC / Stream	`wss://grpc.carbium.io/?apiKey=YOUR_RPC_KEY`
Swap API	`https://api.carbium.io` (header: `X-API-KEY`)
Docs	`https://docs.carbium.io`

Auth & Security

Env vars: CARBIUM_RPC_KEY, CARBIUM_API_KEY
Never embed keys in frontend code or commit to version control
One RPC key covers both RPC and gRPC endpoints
Swap API key is separate (free account at https://api.carbium.io/login)

When to use what

Goal	Use	Key needed
Read balances / send tx	RPC	RPC key
Real-time on-chain events	gRPC stream	RPC key (Business+)
Get swap quote	Swap API `/api/v2/quote`	API key
Execute swap	Swap API `/api/v2/swap`	API key
Jito-bundled swap	Swap API `/api/v2/swap/bundle`	API key
Snipe pump.fun tokens	gRPC + raw bonding curve tx	RPC key (Business+)
Arbitrage / MEV bot	gRPC + Swap API	Both

Full API reference

See references/carbium-api.md for:

Complete RPC, gRPC, and Swap API examples (JS/TS, Python, Rust)
pump.fun sniping full implementation (bonding curve math, buy/sell instructions)
Operational guardrails (retry logic, reconnect backoff, error table)
Pricing tiers and feature matrix

Files

2 total

Select a file

Select a file to preview.

Comments

Loading comments…