Sona Next-Gen Wallet
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a disclosed wallet-control skill, but it gives an agent broad ability to move SOL and enable autonomous “god mode,” while key safety limits are external and inconsistently documented.
Install only if you intentionally want an AI agent to control a SONA/Solana wallet. Treat SONA_TOKEN like a wallet key, verify the separate SONA core service and its spend limits, keep the wallet low-balance or devnet until tested, and prefer assisted mode with manual review over god mode.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with the configured token could request SOL transfers, approve queued actions, or change the wallet agent’s operating mode.
The skill exposes wallet transfer, approval, and mode-changing tools to the agent. These are purpose-aligned, but they are high-impact state-changing operations.
| `set_mode` | `mode`, `acknowledgment?` | Switch standard / assisted / god mode (auth required) | ... | `transfer_sol` | `to`, `amount_sol` | Transfer SOL ... (auth required) | ... | `approve_action` | `cycle_id` | Approve a queued action to execute (auth required) |
Use this only with a low-balance or devnet wallet unless you have separately verified SONA’s controls. Prefer assisted/standard mode and require out-of-band human confirmation for transfers.
Anyone or any agent process with access to SONA_TOKEN may be able to perform authenticated wallet actions through the local SONA API.
The plugin uses a session token from the environment and sends it as an authenticated cookie for API calls. This is expected for SONA, but it is a broad credential for wallet operations.
const TOKEN = process.env.SONA_TOKEN ?? "" ... if (withAuth && TOKEN) h["Cookie"] = `sona_session=${encodeURIComponent(TOKEN)}`Keep SONA_TOKEN out of shared environments, rotate it when done, and use the least-privileged/lowest-balance wallet possible.
After setup or mode switching, the wallet agent may continue acting beyond a single user prompt according to its policy and mode.
The skill is designed around a long-running autonomous wallet agent, and the artifacts do not show a time-bound stop condition or local-only containment for god mode.
It watches your on-chain wallet, reasons against your YAML policy rules, and executes trades and transfers ... `god` mode ... full autonomous execution
Run SONA only when needed, monitor its mode, stop the service after use, and avoid god mode unless you fully understand the policy and spend controls.
Users may overtrust the stated spending limit or misunderstand how much the agent can transfer.
The documentation claims a 50M lamport per-action cap, but the example says 0.1 SOL is within that limit. 0.1 SOL is 100M lamports, so the safety documentation is internally inconsistent.
50M lamports max per action ... Example: "Transfer 0.1 SOL to vault" ... "executes within Law II limit"
Verify the actual enforced limits in the SONA core service before funding the wallet, and test behavior on devnet or with negligible balances.
The most security-critical code is outside this adapter artifact, so this review cannot verify the claimed Rust-enforced wallet protections.
The reviewed package is an adapter, while the wallet creation, signing, and policy enforcement happen in a separate SONA service that users must clone and run.
git clone <repo> ... bun install ... bun run sona init # set passphrase, create wallet ... bun run sona start
Install the SONA core only from a verified official repository and review or pin the version before creating or funding a wallet.