Solana Monitor Pro
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill appears to monitor public Solana market and blockchain data, but users should notice its notification credentials, external API calls, unpinned dependencies, and some unfinished/overstated features.
Install only if you are comfortable with a development-stage monitoring tool that contacts external crypto/notification providers. Use dedicated notification credentials, avoid putting wallet private keys or sensitive account data into its configuration, and verify the unfinished features before relying on it for trading or risk decisions.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are mishandled, someone could send Telegram messages or emails using the configured bot/account.
The skill asks users to configure Telegram and email credentials for alert delivery. This is expected for the notification feature, but those credentials can authorize message sending through the configured accounts.
telegram: bot_token: YOUR_BOT_TOKEN chat_id: YOUR_CHAT_ID ... email: smtp_server: smtp.gmail.com smtp_port: 587 sender_email: your@gmail.com sender_password: YOUR_APP_PASSWORD
Use a dedicated Telegram bot and email app password, store secrets outside prompts/chat logs, and revoke or rotate credentials if no longer needed.
Token queries and alert-related activity may be visible to the external services used by the skill.
The price monitor makes outbound requests to a third-party price API. This is purpose-aligned for market monitoring, but users should be aware that requested token IDs/currencies are sent to an external provider.
COINGECKO_API = "https://api.coingecko.com/api/v3" ... response = requests.get(url, params=params, timeout=10)
Only monitor tokens/data you are comfortable sending to external APIs, and review provider privacy/rate-limit terms.
Installing later dependency versions could introduce compatibility or supply-chain risk outside this skill’s reviewed source.
The dependency versions are specified as lower bounds rather than exact pinned versions. This is not malicious, but future package versions could change behavior.
requests>=2.28.0 python-dotenv>=1.0.0
Install in a virtual environment and prefer pinned dependency versions or a lockfile for repeatable installs.
Users could overestimate the skill’s readiness for trading, liquidity, or rug-pull monitoring decisions.
The skill description lists liquidity monitoring and new-token discovery, while the roadmap marks related capabilities as incomplete. The development status is disclosed, but the feature set is broader than the included implementation.
- 💧 流动性池监控 - 🆕 新代币发现 ... - [ ] 流动性监控 - [ ] Web 仪表板 - [ ] API 开放
Treat it as an MVP/demo, verify which features are actually implemented, and do not rely on it as financial or risk-assessment advice.