ClawHub
Back to skill
v1.0.1

Unclaimed SOL Scanner

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:48 AM.

Analysis

This skill appears to be a disclosed, read-only Solana wallet scanner that sends a public wallet address to unclaimedsol.com with user consent.

GuidanceThis skill looks safe for read-only scanning if you are comfortable sharing a public Solana address with unclaimedsol.com. Never provide a seed phrase or private key, and if you visit the website to claim funds, verify the domain and review any wallet transaction before signing.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityInfoConfidenceHighStatusNote
scripts/scan.sh
RESPONSE=$(curl -s -f -X POST "$API_URL" ... -d "{\"publicKey\": \"$WALLET\"}" ...)

The skill invokes a local shell script that performs a network request, but the behavior is narrow, input-validated, and directly supports the stated scanner purpose.

User impactRunning the scan makes a network request from the user's environment to the stated API endpoint.
RecommendationAllow the scan only after the consent disclosure, and verify that the wallet address is public and correctly entered.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
This skill sends the user's **Solana public key** (wallet address) to the Unclaimed SOL API (`https://unclaimedsol.com/api/check-claimable-sol`) via an HTTPS POST request.

The skill shares a wallet address with an external service; the artifacts clearly disclose this and require consent, but public wallet addresses can still reveal financial activity.

User impactThe scan may let unclaimedsol.com associate the submitted wallet address with the user's request and view its public on-chain history.
RecommendationProceed only if comfortable sharing the public wallet address with unclaimedsol.com, and do not provide seed phrases or private keys.