ClawHub

solana-skill

Interact with Solana blockchain via Helius APIs. Create/manage wallets, check balances (SOL + tokens), send transactions, swap tokens via Jupiter, and monitor addresses. Use for any Solana blockchain operation, crypto wallet management, token transfers, DeFi swaps, or portfolio tracking.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
3 · 2k · 10 current installs · 11 all-time installs
by@chattyClaw
MIT-0
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description match the code and SKILL.md: wallet creation, balance lookups via Helius/DAS, sends, and Jupiter swaps are implemented. However the registry metadata declared no required credentials or config, while the code and SKILL.md require a heliusApiKey stored in ~/.config/solana-skill/config.json and will error if it's missing. That mismatch (declaring no required credential while the skill will not function without an API key file) is an incoherence users should know about.
!
Instruction Scope
SKILL.md and code stay within the stated domain (Solana + Helius + Jupiter) and do not read arbitrary system files. However: (1) the wallet module derives an encryption password from process.env.USER and process.env.HOME (getDefaultPassword), which implicitly uses environment data not declared in the metadata and results in predictable/weak encryption; (2) references include webhook creation with arbitrary webhookURL (the code exposes a path to register webhooks that can post to any endpoint) — that enables sending on-chain events to external endpoints if the user configures it; and (3) some reference endpoints list non-HTTPS regional Helius sender URLs (http), which is an operational/security note. The instructions are otherwise explicit rather than vague, but the agent/code will create persistent config and wallet files and rely on a non-secret machine-derived password unless the user changes behavior.
Install Mechanism
There is no install spec (instruction-only at registry level) and all code is present in the bundle. No external arbitrary download or archive extraction occurs during install. package.json lists reasonable dependencies (@solana/web3.js, helius-sdk, etc.). Risk is limited to running the included scripts (npx tsx) — evaluate those scripts before running.
!
Credentials
The skill does not declare required environment variables or a primary credential in the registry, but it requires a Helius API key stored in a config file (~/.config/solana-skill/config.json). The code also implicitly uses process.env.USER and process.env.HOME to derive a default wallet password (not documented as a required secret), which is disproportionate: deriving encryption secrets from predictable environment values is weak and surprising. Other than that, the skill does not request unrelated cloud credentials. The discrepancy between declared requirements and actual file/env access is the main proportionality issue.
Persistence & Privilege
The skill creates and reads persistent files under ~/.config/solana-skill (config.json, wallets/, logs). That is expected for a wallet manager, but it's a significant persistent presence on disk and stores encrypted private keys. always:false (normal) and the skill does not modify other skills or global agent settings. Users should be aware these files are long-lived and control their filesystem permissions and backups.
What to consider before installing
Key points to consider before installing or running this skill: - It requires a Helius API key stored in ~/.config/solana-skill/config.json, but the registry metadata does not declare this — you must create that file yourself or the skill will fail. Do not paste your key into a public place. - The wallet encryption uses a default password derived from environment values (USER + HOME hashed). That is predictable and weak: change the implementation to require a user-supplied passphrase or use a hardware/external signer before storing real funds. Do NOT rely on the default behavior if you care about secrecy. - The skill writes encrypted wallets and logs to ~/.config/solana-skill; ensure filesystem permissions are restricted and back up keys securely. Consider using external signing (hardware wallet) instead of importing private keys into this tool. - The references allow creating webhooks pointing at arbitrary endpoints; if you enable webhook functionality, only register endpoints you control and review what activity is being forwarded to avoid leaking address activity to third parties. - There are mentions of regional Helius sender endpoints over HTTP in the docs — verify the endpoints the code actually uses (the code uses getRpcUrl → HTTPS) and avoid using non-TLS endpoints. - Before trusting with substantial funds: (1) review and if needed modify getDefaultPassword to prompt for a passphrase; (2) run the code locally and inspect it; (3) test sending small amounts first; (4) consider running in an isolated environment. If you want, I can (a) point out the exact lines you should change to require a passphrase prompt, (b) produce a minimal checklist to safely run this skill, or (c) create a patched version that prompts for a user password instead of deriving one from env vars.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
DeFivk97348wfe2vqnx40gbcbf8qepn80b33kcryptovk97348wfe2vqnx40gbcbf8qepn80b33klatestvk97348wfe2vqnx40gbcbf8qepn80b33ksolanavk97348wfe2vqnx40gbcbf8qepn80b33ktradingvk97348wfe2vqnx40gbcbf8qepn80b33kwalletvk97348wfe2vqnx40gbcbf8qepn80b33k

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Solana Skill

Comprehensive Solana blockchain interaction using Helius infrastructure.

Prerequisites

  1. Helius API Key — Get free at https://dashboard.helius.dev/signup
  2. Store key in ~/.config/solana-skill/config.json:
{
  "heliusApiKey": "your-api-key",
  "network": "mainnet-beta"
}

Core Capabilities

Wallet Management

  • Create new wallets (keypair generation)
  • Import existing wallets (private key or seed phrase)
  • List managed wallets
  • Secure key storage (encrypted at rest)

Balance & Assets

  • Check SOL balance
  • Get all token balances (SPL tokens)
  • View NFTs and compressed NFTs
  • Portfolio valuation (via DAS API)

Transactions

  • Send SOL
  • Send SPL tokens
  • Transaction history (enhanced, human-readable)
  • Priority fee estimation

Swaps (Jupiter)

  • Get swap quotes
  • Execute token swaps
  • Slippage protection

Monitoring

  • Watch addresses for activity
  • Transaction notifications

Quick Reference

Check Balance

import { createHelius } from 'helius-sdk';

const helius = createHelius({ apiKey: 'YOUR_KEY' });
const assets = await helius.getAssetsByOwner({
  ownerAddress: 'WALLET_ADDRESS',
  displayOptions: {
    showFungible: true,
    showNativeBalance: true
  }
});

Send SOL

import { Connection, Keypair, SystemProgram, Transaction, sendAndConfirmTransaction, LAMPORTS_PER_SOL } from '@solana/web3.js';

const connection = new Connection('https://mainnet.helius-rpc.com/?api-key=YOUR_KEY');
const tx = new Transaction().add(
  SystemProgram.transfer({
    fromPubkey: sender.publicKey,
    toPubkey: recipientPubkey,
    lamports: amount * LAMPORTS_PER_SOL
  })
);
await sendAndConfirmTransaction(connection, tx, [sender]);

Jupiter Swap

// 1. Get quote
const quote = await fetch(`https://api.jup.ag/swap/v1/quote?inputMint=${inputMint}&outputMint=${outputMint}&amount=${amount}`);

// 2. Build swap transaction
const swap = await fetch('https://api.jup.ag/swap/v1/swap', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' },
  body: JSON.stringify({
    quoteResponse: await quote.json(),
    userPublicKey: wallet.publicKey.toString()
  })
});

// 3. Sign and send

API Endpoints

ServiceBase URL
Helius RPChttps://mainnet.helius-rpc.com/?api-key=KEY
Helius Senderhttps://sender.helius-rpc.com/fast
Jupiter Quotehttps://api.jup.ag/swap/v1/quote
Jupiter Swaphttps://api.jup.ag/swap/v1/swap

Security

Critical rules:

  • Never log or display private keys
  • Use encrypted storage for keys
  • Validate all addresses before transactions
  • Set reasonable slippage limits (default: 1%)
  • Always confirm large transactions with user

See references/security.md for detailed security practices.

Detailed References

Common Token Addresses

TokenMint Address
SOLSo11111111111111111111111111111111111111112 (wrapped)
USDCEPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v
USDTEs9vMFrzaCERmJfrF4H2FYD4KCoNkY11McCe8BenwNYB
BONKDezXAZ8z7PnrnRJjz3wXBoRgixCa6xjnB7YaB1pPB263

Error Handling

Common errors and solutions:

  • Insufficient SOL: Need SOL for rent + transaction fees
  • Token account not found: Create ATA before sending tokens
  • Transaction too large: Reduce instructions or use address lookup tables
  • Blockhash expired: Retry with fresh blockhash

Files

10 total
Select a file
Select a file to preview.

Comments

Loading comments…