Solana Investor
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: solana-investor Version: 0.1.0 The skill acts as an orchestrator for Solana investment tasks, providing logic for coordinating portfolio reviews, market checks, and trade execution. The included scripts (evaluate-execution-mode.js and get-metrics.js) are administrative utilities that report system readiness and performance metrics by querying a local database and checking environment variables (e.g., Helius API keys, Telegram tokens), with no evidence of malicious intent, unauthorized network calls, or data exfiltration.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used as intended, the assistant may help create alerts or DCA strategies after confirmation.
The skill may coordinate write-capable investment actions, but it explicitly says each write operation should be confirmed.
调用 `solana-dca` 的 `create-dca.js` ... **分步确认** — 多步操作中每个写操作都需确认
Confirm token, amount, schedule, threshold, and whether execution is simulated or live before approving any write action.
If the script is invoked, it depends on unreviewed local shared code and configuration, which could change what the skill actually does.
An included executable script loads shared modules outside the provided manifest, while SKILL.md says this skill has no direct scripts. Important runtime behavior is therefore under-disclosed and not fully reviewable from the provided artifacts.
const sharedDir = path.resolve(__dirname, '..', '..', '..', 'shared');
const config = require(path.join(sharedDir, 'config'));
const { initDatabase, getDb } = require(path.join(sharedDir, 'database'));Disclose all runnable scripts and shared dependencies in SKILL.md/metadata, include the referenced shared modules for review, or remove the unused scripts.
Running the script could reveal aggregate investment-service activity and operational state from local persistent data.
The script reads persistent user, strategy, alert, and transaction tables and outputs aggregate operational context, but this database access is not described by the prompt-only orchestrator documentation.
totalUsers: count('SELECT COUNT(*) AS count FROM users'),
activeStrategies: count("SELECT COUNT(*) AS count FROM dca_strategies WHERE status = 'active'"),
activeAlerts: count('SELECT COUNT(*) AS count FROM price_alerts WHERE is_active = 1'),
totalTransactions: count('SELECT COUNT(*) AS count FROM transactions')Document exactly which database paths and tables are accessed, require explicit user/admin intent before running metrics scripts, and avoid exposing sensitive operational summaries in normal user workflows.
A user or administrator could disclose whether trading-related credentials and signer controls exist in the environment.
The script checks for API, notification, and execution-signer configuration. It does not print the secret values, but these sensitive environment dependencies are not declared in metadata.
config.heliusApiKey ? 'HELIUS_API_KEY is configured.' : 'HELIUS_API_KEY is missing' ... process.env.TELEGRAM_BOT_TOKEN ... process.env.EXECUTION_SIGNER_REF
Declare optional credential/environment checks and keep execution-readiness output limited to trusted administrative contexts.