Solana Investor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The prompt workflow is cautious, but the package includes under-disclosed Node scripts that read shared investment databases, metrics, and environment state.
Review the included Node scripts and the referenced shared modules before installing. Use the prompt workflow only for explicit investment tasks, and do not run the metrics or execution-readiness scripts unless you understand what local database, credential, and signer information they can access.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used as intended, the assistant may help create alerts or DCA strategies after confirmation.
The skill may coordinate write-capable investment actions, but it explicitly says each write operation should be confirmed.
调用 `solana-dca` 的 `create-dca.js` ... **分步确认** — 多步操作中每个写操作都需确认
Confirm token, amount, schedule, threshold, and whether execution is simulated or live before approving any write action.
If the script is invoked, it depends on unreviewed local shared code and configuration, which could change what the skill actually does.
An included executable script loads shared modules outside the provided manifest, while SKILL.md says this skill has no direct scripts. Important runtime behavior is therefore under-disclosed and not fully reviewable from the provided artifacts.
const sharedDir = path.resolve(__dirname, '..', '..', '..', 'shared');
const config = require(path.join(sharedDir, 'config'));
const { initDatabase, getDb } = require(path.join(sharedDir, 'database'));Disclose all runnable scripts and shared dependencies in SKILL.md/metadata, include the referenced shared modules for review, or remove the unused scripts.
Running the script could reveal aggregate investment-service activity and operational state from local persistent data.
The script reads persistent user, strategy, alert, and transaction tables and outputs aggregate operational context, but this database access is not described by the prompt-only orchestrator documentation.
totalUsers: count('SELECT COUNT(*) AS count FROM users'),
activeStrategies: count("SELECT COUNT(*) AS count FROM dca_strategies WHERE status = 'active'"),
activeAlerts: count('SELECT COUNT(*) AS count FROM price_alerts WHERE is_active = 1'),
totalTransactions: count('SELECT COUNT(*) AS count FROM transactions')Document exactly which database paths and tables are accessed, require explicit user/admin intent before running metrics scripts, and avoid exposing sensitive operational summaries in normal user workflows.
A user or administrator could disclose whether trading-related credentials and signer controls exist in the environment.
The script checks for API, notification, and execution-signer configuration. It does not print the secret values, but these sensitive environment dependencies are not declared in metadata.
config.heliusApiKey ? 'HELIUS_API_KEY is configured.' : 'HELIUS_API_KEY is missing' ... process.env.TELEGRAM_BOT_TOKEN ... process.env.EXECUTION_SIGNER_REF
Declare optional credential/environment checks and keep execution-readiness output limited to trusted administrative contexts.