Solpaw Interaction Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill can spend from a Solana wallet and launch public tokens; that purpose is disclosed, but the code and docs conflict about local signing and who becomes the on-chain creator.
Review carefully before installing. Only use a dedicated wallet with the minimum SOL needed, never expose a main wallet private key, and prefer a local signer or hardware wallet. Confirm every transaction and avoid the SDK path unless it is changed to use the documented local-signing flow.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent, a command, or downstream code misuses this key, wallet transactions can be signed irreversibly.
The skill asks the agent environment to hold a raw Solana private key, which grants broad signing and spending authority rather than a narrowly scoped one-time permission.
`SOLANA_PRIVATE_KEY` — your wallet private key (base58 encoded, for signing)
Do not use a main wallet. Use a fresh low-balance wallet, keep the key out of the environment except during launch, and verify every transaction before signing.
A user may believe their own wallet will be the on-chain creator while the provided SDK path can rely on a server-signed launch flow instead.
The main SDK launch method calls `/tokens/launch`; the included API docs describe that endpoint as the fallback where the server signs and the platform wallet is the on-chain creator, conflicting with the skill's Local Mode and creator-ownership claims.
// Launch via Lightning API
const result = await this.request<...>("POST", "/tokens/launch", {Update or use only the local-signing flow (`/tokens/launch-local` followed by `/tokens/submit`) and clearly warn users before any server-signed fallback.
The agent can pay SOL, submit signed transactions, and create a public token listing.
The skill intentionally performs bundled, state-changing financial operations. This is purpose-aligned, but it is high-impact and should never run without explicit user review.
One-call launch: pays fee + uploads + signs + submits
Require an explicit confirmation that includes the token name, symbol, description, image, total SOL to spend, slippage, fee wallet, and destination URLs.
Different installs may use different Solana SDK versions, which matters for wallet-signing workflows.
The Solana dependency is expected for this purpose, but it is not pinned. If installed, dependency resolution could change code involved in wallet transaction construction/signing.
"peerDependencies": { "@solana/web3.js": "^1.95.0" }Use a lockfile or pinned dependency version and inspect installed packages before using a wallet private key.