The Trench
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a narrow instruction-only devnet Solana Anchor example, but users should verify the external IDL/types and use a test wallet because the sample can send transactions through the local Anchor provider.
This appears safe to install as an instruction-only devnet helper. Before using it, verify the IDL and TypeScript types from the linked project, keep it on devnet unless you intentionally review a mainnet version, and use a test wallet for any transaction-signing examples.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A local wallet may be used to sign Solana transactions; on devnet this is usually low impact, but changing the program or network could authorize real actions.
The sample uses Anchor's environment-based provider, which can draw on local wallet/provider configuration if the user runs the code.
const provider = AnchorProvider.env();
Use a dedicated devnet/test wallet, verify the selected cluster and wallet before running RPC calls, and do not adapt it to mainnet without reviewing the program, accounts, and transaction effects.
If uncommented and run, the sample can submit a transaction to the specified Solana program.
The documented example is commented out and user-directed, but an Anchor .rpc() call sends an on-chain transaction and may mutate program/account state.
// await program.methods.listDeadToken(...).accounts({ ... }).rpc();Review the IDL, target program ID, accounts, and transaction arguments before executing any RPC call.
Users may need to obtain the IDL/types from the linked repository or another source, and should verify that they match the intended devnet program.
The skill references IDL and TypeScript type files, but the supplied manifest contains only SKILL.md, so those referenced artifacts are not available in this review package.
IDL: `{baseDir}/../idl.json`
- TS types: `{baseDir}/../the_trench.ts`Fetch referenced files only from the expected project source, compare the program ID and IDL contents, and avoid running generated client code from unverified sources.