Solana On-Chain Agent Registry, Reputation & Trust
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill appears coherent for a Solana registry SDK, but it needs a Solana private key and can make persistent on-chain/IPFS changes that users should approve carefully.
Install this only if you intend to use the 8004 Solana SDK. Use a dedicated low-balance wallet, pin and verify npm dependencies, test on devnet first, and approve every signing or metadata publication step manually.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a valuable wallet, the agent may be able to sign transactions that spend fees or modify registry state.
The skill explicitly requires and uses a Solana private key to create a signer. This is expected for on-chain write operations, but the key can control wallet funds and authorize transactions.
"env":["SOLANA_PRIVATE_KEY"],"primaryEnv":"SOLANA_PRIVATE_KEY" ... Keypair.fromSecretKey(Uint8Array.from(JSON.parse(process.env.SOLANA_PRIVATE_KEY!)))
Use a dedicated low-balance wallet, prefer devnet for testing, and require explicit review before any transaction is signed.
The agent could create or update on-chain records and incur Solana transaction costs if the user authorizes signing.
The documented SDK calls can perform on-chain write operations, including registration, wallet assignment, and metadata changes. These actions are purpose-aligned but high-impact.
### With signer (for write operations) ... const result = await sdk.registerAgent(`ipfs://${cid}`); ... await sdk.setAgentWallet(result.asset, opWallet); ... await sdk.setMetadata(assetPubkey, 'version', '2.0.0');Before write calls, show the target cluster, wallet, estimated fees, accounts being changed, and exact transaction purpose to the user.
Mistaken metadata, private information, or wrong endpoints could become publicly accessible and difficult to remove.
The skill documents uploading metadata to IPFS and registering or setting metadata on-chain, including immutable metadata. Incorrect or sensitive content may persist publicly.
const cid = await ipfs.addJson(metadata); ... await sdk.registerAgent(`ipfs://${cid}`); ... Immutable metadata (permanent, cannot change or delete)Review all metadata before upload or on-chain submission, and never include secrets, private URLs, or personal data in IPFS or immutable fields.
A future package change or dependency compromise could affect the code used with the wallet private key.
The skill directs users to install npm packages without pinned versions. This is common for SDK documentation, but it leaves the exact installed code dependent on the package registry at install time.
npm install 8004-solana @solana/web3.js
Verify the package source, pin versions, use a lockfile, and review package provenance before using it with real funds or a production wallet.