Skillv0.1.0

ClawScan security

Solana · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 13, 2026, 3:04 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is internally consistent with its stated purpose (querying Solana RPC + CoinGecko); no unexplained credentials or installs, but it will send queried addresses/mint IDs to public RPC and CoinGecko (privacy / rate-limit implications).
Guidance: This skill appears to do what it says, but be aware of privacy and rate-limit implications before using it: (1) queries you run (wallet addresses, token mints, transaction signatures) are sent to the configured Solana RPC provider and to CoinGecko for price lookups — if you care about privacy, set SOLANA_RPC_URL to a private RPC provider you trust; (2) use the --no-prices flag to avoid sending many token-mint lookups to CoinGecko (also helps with rate limits); (3) no API keys or secrets are required — do NOT paste private keys into prompts; (4) review the included script before running if you want to confirm there are no modifications specific to your environment; (5) for heavy production use, prefer a paid/private RPC to avoid public rate limits and data exposure.

Review Dimensions

Purpose & Capability: okName/description (Solana data + USD pricing) matches the included script and SKILL.md. The code uses Solana JSON-RPC and CoinGecko for prices — exactly what the skill claims. No unrelated binaries, credentials, or install steps are requested.
Instruction Scope: noteInstructions and script operate within the advertised scope (wallet, tx, token, NFTs, whales, stats, price). They perform network calls to the Solana RPC endpoint and CoinGecko. This means wallet addresses, token mint addresses, and transaction signatures you query will be sent to those third-party services (default RPC: api.mainnet-beta.solana.com; CoinGecko endpoints used as documented). That network exposure is expected for this functionality but is a privacy consideration; CoinGecko and the RPC provider will see the queried identifiers. The SKILL.md also recommends overriding SOLANA_RPC_URL for private RPCs and offers a --no-prices flag to avoid CoinGecko lookups.
Install Mechanism: okNo install spec; this is instruction-only with an included Python script. The script only uses the Python standard library (urllib, json, argparse) and writes nothing to disk at runtime beyond normal output. No external packages or downloads are requested.
Credentials: okThe skill requests no environment variables by default. It optionally reads SOLANA_RPC_URL to override the RPC endpoint, which is appropriate and proportional. No secrets or unrelated credentials are requested.
Persistence & Privilege: okalways is false and the skill does not request persistent or elevated privileges. It does not attempt to modify other skills or system-wide settings. Runtime behavior is limited to outgoing network calls and local printing.