The Flip Publish

What to consider before installing: - Do NOT run the curl | sh installer linked in SKILL.md (https://release.anza.xyz). That command executes remote shell code from an untrusted host. If you need the Solana CLI, install it from the project's official instructions (solana.com / official GitHub releases) or your distro's package manager. - The skill will read and use a local Solana keypair (default ~/.config/solana/id.json) or any key file path you pass. That file contains private key material. Use a throwaway devnet-only wallet (create a new keypair) — never point the skill at a wallet that holds real/mainnet funds or private keys. - The package metadata only lists 'node' but the code requires Solana CLI, Anchor, and a Rust toolchain to build the on-chain program/IDL. Expect additional setup steps; the missing declarations are an incoherence you should resolve or ask the publisher to fix. - The demo script signs transactions and can move tokens if you provide a wallet. Review the demo.mjs and the on-chain program (program/src/lib.rs); they appear to implement the game logic and token transfers as described, but you should audit them yourself if you will provide a real wallet. - Avoid posting private keys anywhere. The SKILL.md suggests posting a wallet address on a forum to receive test USDC — posting a public address is OK, but never post the private key. - If you want to proceed safely: (1) create a new devnet-only wallet, (2) do not run any unknown remote installer, (3) install Solana/Anchor from official sources, (4) run the demo in an isolated environment (container/VM), and (5) consider building/reviewing the on-chain program yourself or interacting only via the public API endpoints and a wallet you control. Bottom line: the code aligns with the described game, but the presence of an untrusted remote installer instruction and missing dependency/credential declarations make this package suspicious until those issues are fixed or you take the recommended safety precautions.