Solana Easy Swap
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a legitimate Solana swap skill, but it can use your wallet keypair to sign real trades, so only use a limited wallet and confirm every quote carefully.
Before installing, understand that this skill can sign real Solana mainnet transactions with the keypair at SOLANA_KEYPAIR_PATH. Use a dedicated wallet with limited funds, verify every quote and mint address, require explicit confirmation before execution, and be aware that Jupiter/RPC providers can see trade metadata.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the configured keypair controls valuable funds, a mistaken or unauthorized execution could swap assets and pay network fees.
The skill requires direct access to a wallet private key file and can sign transactions with it. This is disclosed and central to the swap purpose, but it is high-impact authority.
`SOLANA_KEYPAIR_PATH` — path to a Solana keypair JSON file ... **This skill reads your keypair to sign transactions.**
Use a dedicated low-balance trading keypair, do not point this at a main wallet, and verify the quote before approving execution.
A wrong token mint, amount, destination, or slippage setting could result in an unwanted on-chain trade.
The skill performs irreversible financial actions, but its documented workflow requires a prepare step, user-visible summary, and explicit confirmation before execute.
**Always show the summary to the user and wait for confirmation before executing.**
Only approve after checking the token mint addresses, amount, minimum received, price impact, slippage, and destination.
Jupiter and the configured RPC endpoint can learn the wallet public key and intended trade parameters, and completed transactions are public on Solana.
The script sends swap details and the wallet public key to Jupiter, which is expected for building a swap but is still a privacy-relevant external provider data flow.
const quoteUrl = `${JUPITER_BASE}/quote?inputMint=${fromMint}&outputMint=${toMint}&amount=${amountIn}&slippageBps=${slippage}`; ... userPublicKey: owner.toBase58()Use this only if you are comfortable sharing quote/trade metadata with Jupiter and the selected Solana RPC provider.
Pending trade details may remain on local disk, and execution depends on cached prepared-swap state.
Prepared swap state, including the transaction payload and trade metadata, is written to a local cache so a later execute command can use it.
writeFileSync(prepareFilePath(prepareId), JSON.stringify(prepared));
Keep the skill directory protected, avoid sharing its cache, and clear old prepared swap files if local trade privacy matters.
Installing dependencies executes package installation logic and pulls third-party code used for wallet transaction handling.
The skill depends on npm packages to run. This is normal for a Node-based Solana integration, and a package-lock is present, but installation still relies on the npm supply chain.
cd {baseDir} && npm install --productionInstall from a trusted registry context, keep the lockfile intact, and review dependency updates before upgrading.