ClawHub

IQDB On-Chain Storage

v0.2.0

On-chain immutable data storage using IQ Labs tech stack (IQDB, hanLock, x402). Use when building Solana-based persistent storage, on-chain databases, tamper-evident records, password-encoded data, or paid file inscription. Triggers on tasks involving on-chain CRUD, Solana PDA storage, rolling hash verification, Hangul encoding, or HTTP 402 payment-gated inscription.

0· 1.1k·0 current·0 all-time
byRocket@emanz1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims to provide on‑chain storage for Solana and references appropriate SDKs, program IDs, and payment flows — that part is coherent. However the registry metadata lists no required environment variables or credentials while the SKILL.md and references clearly instruct the user to supply a Solana keypair (ANCHOR_WALLET), RPC endpoints (ANCHOR_PROVIDER_URL/NETWORK_URL), and to sign transactions. The omission of those required credentials in the metadata is an inconsistency that could mislead users about the privileges the skill needs.
!
Instruction Scope
The runtime instructions explicitly instruct the user to use a local Solana keypair file (signing credentials), set RPC endpoints, install npm packages, and perform payments to third‑party payment addresses returned by an x402 service. They also recommend a monkey‑patch for SDK internals. These operations are within the domain of an on‑chain storage tool, but the instructions also reference installing a Solana CLI via a curl | sh installer hosted on release.anza.xyz (not the official Solana URL) and ask to handle private key files — both raise scope and safety concerns.
!
Install Mechanism
This is an instruction‑only skill (no automatic install), which reduces automatic risk. However the included docs recommend running npm installs (expected) and a curl-based installer for the Solana CLI from release.anza.xyz (a third‑party domain). Downloading and running an installer from an unfamiliar domain is high risk, and the docs do not point to official Solana release URLs.
!
Credentials
Functionally the skill needs access to a Solana keypair for signing and RPC credentials — appropriate for writing on‑chain. But the metadata declares no required env vars or primary credential while the documentation requires ANCHOR_WALLET and RPC URLs. That mismatch is significant: private key access is sensitive, and users should be explicitly informed. Also the docs mention using paid RPC providers (Helius, Alchemy, QuickNode) which may require API keys not documented here.
Persistence & Privilege
The skill does not request always:true, does not include an install spec that writes code automatically, and does not claim to modify other skills or system settings. It requires the user's wallet to sign transactions (expected privilege for on‑chain writes) but does not request persistent elevated platform privileges in the manifest.
What to consider before installing
This skill appears to implement an on‑chain Solana storage stack, but several red flags mean you should proceed cautiously: - The manifest lists no required credentials, yet the instructions require a Solana keypair (ANCHOR_WALLET) and RPC endpoints. Do not provide your private key to anything you haven't fully vetted. - The docs recommend installing the Solana CLI via a curl script from release.anza.xyz — do not run unknown curl | sh installers. Use official Solana installation sources only (verify upstream project pages). - The skill instructs you to monkey‑patch SDK internals. That can be fragile and hide behavior; prefer official SDK fixes or upstream guidance. - The x402 flow involves paying to addresses returned by a service; verify the payment endpoints and operator reputation before sending funds. Test everything on devnet with a throwaway wallet first. - Verify the provenance of npm packages (@iqlabs-official/solana-sdk, @iqlabsteam/iqdb, hanlock): check their npm publisher, GitHub repo, commit history, and program IDs onchain. Confirm the program IDs and package authors independently (e.g., on GitHub or published docs). If you plan to use this skill: test exclusively on devnet with a fresh test keypair, avoid running untrusted installers, and require the skill author/source (homepage or repository) and package fingerprints before using a real wallet or making payments.

Like a lobster shell, security has layers — review code before you run it.

latestvk97exsqa1x00smnspvnwgwhq5h80t9sr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments