Solana Dev Skill
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: solana-dev-skill Version: 1.0.0 The skill bundle provides a comprehensive and detailed playbook for Solana development, covering UI, SDK, program development, testing, and security best practices. All instructions in SKILL.md and supplementary markdown files are aligned with the stated purpose of assisting with Solana development. The included code snippets and commands (e.g., `cargo update --precise`, `cargo install surfpool`) are standard development practices for managing dependencies or setting up local testing environments, and do not indicate any malicious intent such as data exfiltration, unauthorized execution, or prompt injection with harmful objectives. The 'security.md' file, for instance, details common attack vectors and their prevention, serving as a guide for secure development rather than an attack blueprint.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated dApps or scripts may ask a wallet to sign transactions, so users could affect funds or account state if transaction details are not clearly reviewed.
The skill explicitly covers code that connects wallets, requests signatures, and sends transactions; this is central to Solana development but can authorize fees, transfers, or other on-chain account changes.
- Wallet connection + signing flows - Transaction building / sending / confirmation UX
Keep signing user-initiated and display cluster, fee payer, recipient, amount/token, simulation result, and confirmation state before requesting any signature.
Installing latest packages can introduce compromised, incompatible, or unexpectedly changed dependencies into a project or CI environment.
The documentation includes user-directed installation of testing tools from package registries without version pins; this is normal for a development guide and is not automatic skill installation.
cargo install surfpool ... npm i --save-dev litesvm
Pin package versions, use lockfiles, and verify package provenance before adding these dependencies to production projects or CI.
If copied into non-test code or pointed at an unintended RPC service, these raw calls could bypass normal transaction-flow assumptions or corrupt test fixtures.
The testing guide demonstrates raw Surfnet RPC methods that directly mutate local test state; this is purpose-aligned for integration testing but should remain scoped to local/test environments.
const connection = new Connection("http://localhost:8899", "confirmed"); ... await connection._rpcRequest('surfnet_setAccount', [{Keep Surfnet raw RPC helpers in test-only code, enforce localhost/test endpoints, and avoid raw RPC escape hatches in production dApps.