ClawHub

Helius API

PassAudited by ClawScan on May 1, 2026.

Overview

This is a coherent instruction-only skill for read-only Solana queries, but users should notice that it needs a Helius API key and sends queried wallet data to Helius.

This skill appears safe and purpose-aligned for read-only Solana lookups. Before installing, make sure you are comfortable providing a Helius API key, understand that API credits may be used, and avoid querying wallet addresses or transactions you do not want linked to your Helius account.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

NoteHigh Confidence
ASI03: Identity and Privilege Abuse
What this means

Using the skill may consume the user's Helius account credits and exposes that API key to whatever agent environment performs the requests.

Why it was flagged

The skill needs a Helius API key to use the service. That is expected for this integration, but the registry metadata says there are no required env vars or primary credentials, so users should be aware before installing.

Skill content
Query comprehensive Solana data via REST endpoints. Requires `HELIUS_API_KEY` env var.
Recommendation

Declare the HELIUS_API_KEY requirement in metadata, use a limited/rotatable key where possible, and prefer passing the key via header rather than embedding it in URLs when supported.

NoteHigh Confidence
ASI07: Insecure Inter-Agent Communication
What this means

Wallet addresses and transaction signatures are public on-chain data, but the fact that a user is investigating specific wallets or transactions may be visible to Helius and may consume API credits.

Why it was flagged

The skill sends wallet addresses, transaction signatures, and related query parameters to Helius. This is disclosed and central to the purpose, but it is still an external provider data flow.

Skill content
Base URLs

- **Wallet API:** `https://api.helius.xyz/v1/wallet/{address}/...?api-key=KEY`
- **Enhanced Transactions:** `https://api-mainnet.helius-rpc.com/v0/...?api-key=KEY`
Recommendation

Avoid querying addresses or signatures you do not want associated with your Helius account, limit pagination to what the user requested, and review Helius privacy/account terms if this matters.