IQDB On-Chain Storage
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: iqdb-onchain-storage Version: 0.2.0 The skill bundle provides instructions and code examples for interacting with Solana for on-chain data storage and payment-gated file inscription. While it requires access to a Solana wallet's keypair (via `ANCHOR_WALLET` environment variable) for signing transactions and uses `curl | sh` for Solana CLI installation (in `references/setup.md`), these are standard and necessary for the stated purpose of Solana development. There is no evidence of intentional harmful behavior, data exfiltration beyond the stated purpose, persistence mechanisms, or malicious prompt injection attempts in `skill.md` or other documentation. The 'monkey-patch' for Node.js Buffer compatibility is a documented technical workaround.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A funded wallet could spend SOL or tokens and create permanent on-chain records if the user runs signing examples against mainnet.
The setup uses a local Solana keypair to sign transactions. That is expected for on-chain writes, but it is sensitive wallet authority, especially if used on mainnet.
ANCHOR_WALLET=/path/to/keypair.json # Required — Solana keypair for signing
Use devnet first, prefer a dedicated low-balance wallet, protect the keypair file, and require explicit review before signing transactions.
The user may pay SOL or USDC for file inscription, and the same reference notes payment is non-refundable once inscription starts.
The x402 workflow includes a payment transfer to an address returned by a quote flow. This is core to the paid inscription purpose, but it is a high-impact action that should not be automated without confirmation.
Send the quoted amount to the provided payment address. Standard Solana transfer:
Confirm the service endpoint, quote, destination address, token, and amount before paying, and avoid letting an agent send payments without user approval.
A compromised or unexpected remote installer could affect the local development environment.
The setup guide uses a remote shell installer for the Solana CLI. This is a common installation pattern for developer tooling, but it means code is fetched and executed from outside the skill artifact.
sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)"
Verify the Solana/Anza installer source, review official installation instructions, and consider pinned or package-manager-based installs where possible.
Secrets, keys, PII, or confidential business data could remain publicly recoverable if stored on-chain with only hanLock-style obfuscation.
The skill discusses encoding data before on-chain storage, but the reference makes clear hanLock is obfuscation rather than strong encryption. Since on-chain data can be persistent, weakly protected sensitive content would be hard to undo.
Not a substitute for real encryption. Suitable for obfuscation and casual privacy, not for protecting secrets against determined attackers.
Do not store sensitive data on-chain unless it is strongly encrypted and appropriate for permanent publication; treat hanLock as obfuscation only.