Whistle RPC
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only Solana RPC service, but users should notice the real SOL subscription payment, API key, and transaction-broadcasting capability.
Install only if you are comfortable using whistle.ninja as a hosted Solana RPC provider, paying 1 SOL/month, and sending wallet/address queries to that provider. Keep the API key private, use a low-value wallet for subscription payments, and manually approve every transaction involving funds.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly autonomous use could broadcast a signed Solana transaction or spend SOL for the subscription.
The skill exposes normal Solana transaction-submission capability and includes a real on-chain payment flow. This is purpose-aligned and includes approval guidance, but it can affect real funds.
**Transaction:** `sendTransaction`, `simulateTransaction` ... "The payment step sends real SOL on mainnet. The agent must ask the human operator for explicit approval before signing any transaction"
Use a dedicated low-value wallet, review the exact recipient and amount, and require human approval before signing or submitting any value-moving transaction.
Anyone who obtains the API key could use the paid service under the user's subscription.
The service uses an API key for access to the paid RPC endpoints. This is expected for the stated service and there is no evidence of key leakage or unrelated credential use.
All endpoints require an API key obtained through subscription ... `X-API-Key: YOUR_KEY`
Store the API key securely, avoid pasting it into untrusted contexts, and rotate or replace it if exposed.
The provider can observe which blockchain addresses and market data the agent queries.
The documented external APIs receive wallet addresses and request patterns, which can be linked to the user's API key. This is expected for a hosted RPC/history provider.
GET /v1/transactions/:address ... GET /v1/token-transfers/:address ... GET /v1/swaps/:address
Avoid querying addresses you do not want associated with this service account, and review the provider's privacy practices if that linkage matters.
If the user chooses the CLI path, they would be trusting an external npm package in addition to these skill instructions.
The included artifacts are instruction-only, but the tools manifest references an optional npx CLI. Running it would fetch and execute npm package code that is not included in this artifact set.
"cli": "npx whistle-rpc subscribe"
Prefer the documented direct HTTP flow, or inspect and pin the npm package before running the npx command.