Solana Dev Skill
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated dApps or scripts may ask a wallet to sign transactions, so users could affect funds or account state if transaction details are not clearly reviewed.
The skill explicitly covers code that connects wallets, requests signatures, and sends transactions; this is central to Solana development but can authorize fees, transfers, or other on-chain account changes.
- Wallet connection + signing flows - Transaction building / sending / confirmation UX
Keep signing user-initiated and display cluster, fee payer, recipient, amount/token, simulation result, and confirmation state before requesting any signature.
Installing latest packages can introduce compromised, incompatible, or unexpectedly changed dependencies into a project or CI environment.
The documentation includes user-directed installation of testing tools from package registries without version pins; this is normal for a development guide and is not automatic skill installation.
cargo install surfpool ... npm i --save-dev litesvm
Pin package versions, use lockfiles, and verify package provenance before adding these dependencies to production projects or CI.
If copied into non-test code or pointed at an unintended RPC service, these raw calls could bypass normal transaction-flow assumptions or corrupt test fixtures.
The testing guide demonstrates raw Surfnet RPC methods that directly mutate local test state; this is purpose-aligned for integration testing but should remain scoped to local/test environments.
const connection = new Connection("http://localhost:8899", "confirmed"); ... await connection._rpcRequest('surfnet_setAccount', [{Keep Surfnet raw RPC helpers in test-only code, enforce localhost/test endpoints, and avoid raw RPC escape hatches in production dApps.