Colony Solana
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Solana game bot, but it gives an autonomous agent control of a funded mainnet wallet for swaps and token-burning game actions without clear permission limits or complete registry disclosure.
Only install this if you are comfortable letting an agent control a newly created, minimally funded Solana wallet. Do not use your main wallet private key. Verify the program ID, token mint, and project source independently, and add strict approvals and spending limits before allowing autonomous swaps, purchases, or upgrades.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could spend SOL, swap into $OLO, burn tokens to buy or upgrade land, and keep acting over time using the funded wallet.
The skill is meant to autonomously perform real mainnet financial actions, including swaps and game transactions, but the artifacts do not show explicit budget limits or approval gates.
- Generate its own Solana wallet and ask the owner to fund it - Buy land plots, upgrade them, and claim $OLO earnings - Swap SOL for $OLO via Jupiter - Run autonomously on a 4-6 hour loop
Use only a new wallet with a small amount you are willing to risk, require explicit approval for swaps/purchases/upgrades, and set clear spending and stop limits before enabling autonomous play.
Anyone or any process with access to that private key can sign irreversible transactions for the funded wallet.
The code loads a Solana wallet secret from the environment and turns it into a signing key. Registry metadata, however, declares no required env vars and no primary credential.
const SOLANA_PRIVATE_KEY = process.env.SOLANA_PRIVATE_KEY; ... return Keypair.fromSecretKey(bs58.decode(SOLANA_PRIVATE_KEY));
Do not use a main wallet or a wallet holding unrelated funds. Treat the key as highly sensitive, keep funding minimal, and require the skill metadata to declare SOLANA_PRIVATE_KEY as a primary credential.
A user may fund and interact with an on-chain program or token ecosystem they have not independently verified.
The bundled on-chain IDL metadata is branded as “Scamina” rather than Colony, while the registry source is unknown and has no homepage. For a mainnet wallet-spending skill, this identity/provenance mismatch is material.
"metadata": {
"name": "scamina",
"version": "0.1.0",
"spec": "0.1.0",
"description": "Scamina Solana program"
}Verify the program ID, token mint, project website/source repository, and contract provenance independently before funding the generated wallet.
Installing dependencies runs normal npm supply-chain code needed by the CLI.
The skill requires a local Node/npm setup even though the registry lists no install spec. This appears purpose-aligned but should be visible to the user.
cd <skill-directory> npm install
Review package.json and package-lock.json, install in an isolated environment, and avoid running it with unrelated wallet credentials or broad system privileges.