ClawHub

Graveyard Protocol CLI

v1.2.2

Close empty Solana SPL token accounts and reclaim locked rent SOL back to your wallet, track Ghost Point earnings, claim SOUL tokens at the end of each weekl...

0· 112·0 current·0 all-time
byGraveyard Protocol@graveyardprotocol
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
CryptoRequires wallet
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (close empty SPL token accounts, reclaim rent SOL, track/claim rewards) match the instructions. Required binaries (node, npx, gp-cli) and the command-line workflow are proportionate to the stated purpose.
Instruction Scope
SKILL.md instructs agents to run gp-cli commands that (a) read user keypair files (e.g. --keypair-file ~/.config/solana/id.json), (b) store encrypted keypairs locally (~/.gp-cli/wallets.json), (c) build and locally sign transactions and then submit signed bytes to the Graveyard backend. This scope is expected for a wallet-management CLI, but it does require the agent to access private key files — a sensitive action that users should explicitly permit and monitor.
Install Mechanism
Instruction-only skill (no install spec and no code files). The README advises npm install -g @graveyardprotocol/gp-cli which is an expected distribution method for a Node CLI; no arbitrary download or extract URLs are present in the skill itself.
Credentials
The skill declares no required environment variables or external credentials, which is consistent. However, it relies on local private key files and creates an encrypted wallets file on disk; these are sensitive artifacts (private keys) and are justified by the tool's function but should be treated carefully by users.
Persistence & Privilege
The skill does not request always:true or elevated platform privileges. It writes to its own local storage (~/.gp-cli/wallets.json) and does not modify other skills or system-wide agent config. Normal autonomous invocation remains enabled (platform default).
Assessment
This skill appears coherent for its stated purpose, but it requires access to private key files and will store encrypted keypairs locally. Before installing or allowing an agent to run it: (1) Inspect the gp-cli repository and release artifacts (https://github.com/graveyardprotocol/gp-cli) or install from a trusted package registry; (2) Avoid giving the agent your raw private key unless you trust the environment — consider using a throwaway or watch-only address first; (3) Verify that only signed transaction bytes (not private keys) are transmitted to the backend; (4) Review the local storage (~/.gp-cli/wallets.json) and the CLI's encryption implementation if you will keep real funds; (5) Prefer manual runs on an air-gapped or developer machine or use hardware wallet / offline signing if possible. If you need a higher-assurance recommendation, share the gp-cli source code or release tag and I can highlight places to audit (signing, network endpoints, and storage format).

Like a lobster shell, security has layers — review code before you run it.

latestvk97f4sqdvtdj0nap2h0dbce761847ndp

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, npx, gp-cli

Comments