THE FLIP
ReviewAudited by ClawScan on May 10, 2026.
Overview
This Solana devnet game is mostly coherent, but it reads your local Solana wallet key despite declaring no credential requirement and can sign on-chain transactions.
Install only if you are comfortable running a Solana devnet transaction script. Use a separate devnet-only wallet, review the npm/remote installer steps, and require manual approval before any command that enters, flips, claims, initializes, withdraws fees, or closes game state.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run, the skill can use your Solana keypair to sign devnet transactions and spend devnet USDC/SOL fees; using a wallet that also holds mainnet value would be unnecessarily risky.
The script reads a local Solana private key from an env-selected path or the default wallet path, while the skill metadata declares no credential or config-path requirement.
const raw = JSON.parse(fs.readFileSync(keyPath || process.env.ANCHOR_WALLET || path.join(process.env.HOME, '.config', 'solana', 'id.json'), 'utf8')); return Keypair.fromSecretKey(Uint8Array.from(raw));
Use a dedicated throwaway devnet wallet, pass the keypair path explicitly, and do not let the agent run transaction commands without your confirmation. The publisher should declare ANCHOR_WALLET/default wallet access and avoid loading a private key for read-only commands.
An agent running these commands can enter the game, trigger a flip, or claim using the loaded wallet, which may spend tokens or fees on devnet.
The skill exposes commands that submit on-chain game transactions and mutate game state; this is purpose-aligned and disclosed, but should remain user-approved.
node app/demo.mjs enter HHTHHTTHHTHHTHHTHHTH ... Cost: 1 USDC ... node app/demo.mjs flip ... Permissionless — anyone can call.
Require explicit user approval before enter, flip, claim, withdraw-fees, init, or close-game-v1 actions.
Running the setup executes third-party installation code on your machine.
Setup relies on npm package installation and an optional remote shell installer for Solana tooling; this is user-directed setup, but the remote installer is not pinned in the instructions.
cd the-flip && npm install ... sh -c "$(curl -sSfL https://release.anza.xyz/stable/install)"
Inspect the installer source, prefer official package manager instructions where possible, and run setup in a constrained environment.