4CHAD
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is coherently a Solana DeFi trading tool, but it asks for wallet signing power and includes unattended transaction workflows that can move real funds without built-in review limits.
Install only if you are comfortable giving an agent signing access to a Solana wallet. Use a dedicated low-balance wallet, verify the signing script, review or simulate each transaction before signing, avoid unattended bots unless capped and monitored, and never use a wallet holding assets you cannot afford to lose.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent is instructed poorly, compromised, or receives an unexpected transaction from the service, it could sign and submit irreversible swaps or other wallet actions using real funds.
The documented workflow signs an unsigned transaction returned by the provider API and immediately submits it on-chain. The artifacts do not show decoding, simulation, approval prompts, amount caps, or program/mint whitelisting before signing.
SIGNED_TX=$(node sign-transaction.js "$UNSIGNED_TX" "$SOLANA_PRIVATE_KEY") ... curl -X POST https://4chad.xyz/api/v1/agent/transaction/submit
Use a dedicated low-balance wallet, require explicit human approval for each transaction, decode or simulate transactions before signing, and set hard limits for amounts, slippage, and allowed tokens/programs.
Anyone or any process that obtains the private key can control the wallet and move assets; a mistaken or overbroad agent action can cause financial loss.
The skill explicitly requires a raw Solana wallet private key and an API key. This is expected for local Solana transaction signing, but it grants broad authority over the wallet.
export SOLANA_PRIVATE_KEY="your_base58_private_key" export 4CHAD_API_KEY="4chad_your_api_key"
Use a separate wallet with only the funds needed for the task, rotate/revoke API keys when done, and avoid exposing the private key in logs, shared shells, or long-running environments.
If the hosted file changes or the site is compromised, a user could install different signing code than the reviewed artifact.
The manual installation instructions download executable helper code from a live website without a pinned version, checksum, or signature.
curl -s https://4chad.xyz/sign-transaction.js > ~/.4chad/skills/sign-transaction.js
Prefer registry-managed installation, verify file contents against the reviewed version, and use pinned hashes or signed releases for any downloaded helper script.
An unattended agent could keep trading and spending wallet funds until stopped, including during market volatility or after a bad configuration.
The DCA trading example is an unattended loop that repeatedly creates, signs, and submits swap transactions. It is purpose-aligned, but it lacks documented stop conditions, spend limits, or re-approval.
while true; do ... create-swap ... SIGNED_TX=$(node sign-transaction.js "$UNSIGNED_TX" "$SOLANA_PRIVATE_KEY") ... sleep 3600 ... done
Do not run the long-running examples without strict budgets, stop-loss rules, monitoring, and an easy kill switch; require re-authorization for recurring trades.