Colony Solana
v1.0.0Play Colony game on Solana — buy lands, upgrade, claim $OLO earnings, swap tokens via Jupiter. Full autonomous gameplay with strategy optimization.
⭐ 0· 430·0 current·0 all-time
byMaxim Manylov@manylov
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The CLI and SKILL.md behavior (generate a wallet, require SOLANA_PRIVATE_KEY, perform swaps and on-chain buys/claims) are coherent with a Colony game agent, but the registry metadata declared no required env vars or credentials while SKILL.md and code require a SOLANA_PRIVATE_KEY and optionally JUPITER_API_KEY. That discrepancy is an incoherence in the package metadata and the expected privileges.
Instruction Scope
Runtime instructions explicitly tell the agent to generate a wallet, persist the private key in SOLANA_PRIVATE_KEY, ask the owner to fund it, and then perform autonomous on-chain actions (swap, buy, upgrade, claim). The instructions do not ask the agent to read unrelated system files, nor to exfiltrate secrets, but they do instruct storing and using a highly sensitive private key and requesting the owner to transfer real SOL — both are high-impact actions that are nevertheless within the stated game purpose.
Install Mechanism
There is no platform install spec, but SKILL.md instructs running npm install to use the included colony-cli.mjs. Dependencies are standard Solana/Anchor/npm packages from the registry (package.json/package-lock.json). No arbitrary download URLs or extract steps are present in the manifest, so install risk is typical for running third‑party Node code (pulls multiple npm packages).
Credentials
The skill requires a private key (SOLANA_PRIVATE_KEY) that allows signing transactions and moving funds; that is proportionate to the stated purpose but represents very high privilege. The SKILL.md also mentions JUPITER_API_KEY for swaps. The manifest's omission of required env vars is inconsistent and reduces transparency about what secrets will be requested/used.
Persistence & Privilege
The skill is not marked always:true and is user-invocable (normal). However, because the agent can be allowed to invoke the skill autonomously and the skill can sign and send transactions with the user's private key, there is an elevated blast radius if allowed to run unattended. This is expected for an autonomous wallet-managing skill but is a meaningful risk to weigh.
What to consider before installing
This skill will generate or require a Solana private key (SOLANA_PRIVATE_KEY) and can sign transactions that move real funds (swap SOL, buy/upgrade lands, claim tokens). Before installing or running it: 1) Do not use your main or high-value wallet — create a dedicated, funded test wallet with a small amount of SOL. 2) Verify the program ID and token mint addresses in the code match the official Colony project and $OLO mint (to avoid interacting with a malicious program). 3) Review the colony-cli.mjs source yourself (or have someone audit it) for any hidden network calls or exfiltration logic. 4) Prefer hardware/air-gapped signing or a watch-only setup if you do not trust the code; never paste your private key into untrusted environments. 5) Note the registry metadata omitted required env vars — ask the publisher to update metadata to declare SOLANA_PRIVATE_KEY and JUPITER_API_KEY. 6) Run npm install in an isolated environment (container/VM) and consider running the CLI locally with read-only commands (status, game-state, land-info) before enabling write/autonomous behavior. If you are not comfortable granting a skill a private key that can spend funds, do not enable autonomous runs or avoid installing the skill.Like a lobster shell, security has layers — review code before you run it.
defivk971y7kr4qp67cj3bc79vzg1hh81hzr3gamingvk971y7kr4qp67cj3bc79vzg1hh81hzr3idle-gamevk971y7kr4qp67cj3bc79vzg1hh81hzr3latestvk971y7kr4qp67cj3bc79vzg1hh81hzr3solanavk971y7kr4qp67cj3bc79vzg1hh81hzr3
License
MIT-0
Free to use, modify, and redistribute. No attribution required.