solana-skill
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Solana skill is mostly coherent, but it can move real crypto funds and stores wallet keys with weak built-in protection, so it needs careful review before use.
Only use this with test or low-value wallets unless you add strong manual approval and key protection. Review every transaction before signing, prefer devnet or small amounts first, keep the Helius config and wallet directory protected, and consider a hardware wallet or OS keychain instead of this default stored-key approach.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or autonomous invocation could swap real assets and cause irreversible financial loss.
The skill signs a remotely built Jupiter swap transaction and broadcasts it with preflight disabled, without an explicit user confirmation or instruction-verification step in the executable path.
const tx = VersionedTransaction.deserialize(txBuffer); tx.sign([wallet]); const signature = await connection.sendRawTransaction(tx.serialize(), { skipPreflight: true, maxRetries: 3 });Require explicit user approval immediately before signing, show mints, amounts, route, price impact, fees, recipient/programs, and network, and simulate or verify instructions before broadcast.
If wallet files are copied or the local account is compromised, private keys may be much easier to decrypt than users would expect.
This deterministic machine-derived value is used as the default password for encrypting and decrypting stored wallet private keys, rather than a user secret, OS keychain, or hardware wallet boundary.
const machineId = process.env.USER + process.env.HOME; return createHash('sha256').update(machineId).digest('hex');Use a user-supplied passphrase, OS credential store, or hardware-wallet signing flow; clearly declare wallet key storage and avoid storing high-value keys in this skill.
A crafted wallet name containing ../ could cause wallet reads or writes outside the intended ~/.config/solana-skill/wallets directory.
Wallet names from CLI arguments are used directly in filesystem paths without rejecting path separators or resolving that the final path remains under the wallets directory.
const walletPath = join(walletsDir, `${name}.json`);Restrict wallet names to a safe character set, reject path separators, resolve the final path, and verify it stays inside the wallet directory before reading or writing.
Programmatic use may unexpectedly print, exit, or perform CLI actions if arguments match, which is risky around transaction-sending code.
The script executes its CLI handler unconditionally at module load time; because it also exports functions, importing it can trigger CLI behavior based on process.argv.
async function main() { const [,, type, fromWallet, toAddress, ...rest] = process.argv; ... } main().catch(console.error);Guard CLI entry points so main() runs only when the file is executed directly, not when imported.
Dependency changes could alter behavior in a tool that can access private keys and move funds.
The skill relies on npm packages with caret version ranges, so future installs can pull newer dependency versions; this matters more because the code handles wallet keys and signing.
"@solana/web3.js": "^1.98.0", "@solana/spl-token": "^0.4.0", "helius-sdk": "^2.1.0", "tsx": "^4.7.0"
Pin and lock dependency versions, review the lockfile, and run the skill in an isolated environment.