Jupiter Skill for OpenClaw

This package appears to do what it says (talk to Jupiter API, sign and send Solana transactions), but take these precautions before installing: - Verify the origin: the skill's source/homepage is unknown. Prefer code from a known repository or the official Jupiter examples. - Metadata mismatch: SKILL.md and the scripts require JUP_API_KEY and access to a Solana wallet file (~/.config/solana/id.json), but the published registry metadata omitted these. Treat that discrepancy as a red flag — ask the publisher to correct it or verify why it was omitted. - Wallet safety: never use a high-value wallet file with this tool. Use an isolated, low-balance or ephemeral wallet. Prefer hardware signing where possible; this code reads raw wallet JSON and will expose private key material to whatever runtime executes it. - Run in a sandbox: installing dependencies (pnpm install) and running the scripts executes code locally. If you decide to test, do so in an isolated environment/container and inspect the code locally first. - Inspect and verify: review the included scripts yourself (they are present and readable). Confirm endpoints are api.jup.ag and valid docs links; no other outbound endpoints are present. Check the pnpm-lock.yaml for unexpected packages if supply-chain trust is a concern. - Autonomy risk: if you plan to allow the agent to invoke skills autonomously, be cautious about granting access to any wallet files or environment variables to the agent, because an autonomously-invoked skill could sign/send transactions without additional prompts. If the publisher updates the registry metadata to include the required env vars and config paths and you verify the repo origin and contents, the skill would be coherently scoped for its purpose. If you cannot verify origin or the metadata remains inconsistent, avoid using real funds and prefer manual, audited usage only.