4CHAD
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed Solana trading skill, but it gives an agent broad wallet-signing power and includes autonomous trading loops with limited safeguards.
Only install this if you intentionally want an agent to perform Solana wallet actions. Use a separate low-balance wallet, verify the signing script, decode transactions before signing, set strict budgets and stop conditions, and do not let autonomous loops trade with funds you cannot afford to lose.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the private key is exposed or misused, the wallet can lose funds or assets.
The signer takes the wallet private key directly as a command-line argument, giving the script full signing authority and potentially exposing the key to local process inspection or command logging.
Usage: node sign-transaction.js <privateKeyBase58> <unsignedTransactionBase64> ... const [, , privateKey, transaction] = process.argv;
Use a dedicated low-balance wallet, avoid passing private keys on the command line where possible, and prefer a wallet adapter or hardware/signing flow that shows transaction details before signing.
A bad, compromised, or misunderstood transaction could spend SOL or tokens once signed.
The workflow signs a server-provided unsigned transaction and submits it without an artifact-backed transaction inspection, allowlist, spending cap, or approval checkpoint.
UNSIGNED_TX=$(echo $RESPONSE | jq -r '.response.unsignedTransaction') ... SIGNED_TX=$(node sign-transaction.js "$UNSIGNED_TX" "$SOLANA_PRIVATE_KEY") ... POST https://4chad.xyz/api/v1/agent/transaction/submit
Before signing, decode and review every transaction’s instructions, token mints, recipients, and amounts; require explicit user approval for launches, swaps, and fee claims.
A running agent could continue making financial trades over time, potentially draining funds through repeated buys, bad prices, or unexpected market conditions.
The trading guide includes a persistent autonomous loop that repeatedly creates, signs, and submits swaps using the wallet private key.
while true; do ... Executing DCA buy... ... SIGNED_TX=$(node sign-transaction.js "$UNSIGNED_TX" "$SOLANA_PRIVATE_KEY") ... sleep 3600
Only run bots with explicit budgets, stop conditions, monitoring, and a separate wallet funded with the maximum amount you are willing to risk.
The agent may keep performing wallet-authorized actions after the initial setup, including across multiple tokens.
The fee guide includes a long-running daily agent that signs and submits transactions for all detected tokens without a visible human confirmation step.
while true; do ... Daily fee claim... ... SIGNED_TX=$(node sign-transaction.js "$UNSIGNED_TX" "$SOLANA_PRIVATE_KEY") ... sleep 86400
Run fee automation only when you understand the token list and transaction costs, and add clear logging, confirmation, and shutdown controls.
If the remote script changes or is compromised, a user could run unsafe signing code.
The setup instructions download executable signing code from a remote website. This is aligned with the skill’s purpose, but provenance matters because the script is used with a Solana private key.
curl -s https://4chad.xyz/sign-transaction.js > ~/.4chad/skills/sign-transaction.js
Review the downloaded script, pin to a known hash or version, and install dependencies from trusted sources before using it with any private key.