solana-bundler-sniper-volume-bot
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill openly gives an agent powerful Solana trading and wallet-draining abilities, so it should be reviewed carefully before use.
Only install this if you intentionally want an agent to operate Solana trading wallets through GANK. Use separate low-balance wallets, require manual approval for every trade or transfer, avoid unattended volume/copy-trading loops, verify the provider/source, and never connect a primary wallet or expose your API key in chat context.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with access to the API key could initiate trades, manipulate wallet activity, transfer funds, or liquidate/sweep wallet assets, potentially causing irreversible financial loss.
The skill exposes high-impact financial mutation endpoints, including coordinated buys, volume automation, and wallet-draining operations, without artifact evidence of mandatory user approval or safety limits.
`POST /phases/swarm/buy` ... `POST /phases/volume/start` ... `POST /wallets/vamp-all` ... `drain wallets — sells tokens, closes accounts, sweeps sol`
Use only with explicit per-action approval, small test wallets, strict spend limits, allowlisted destination wallets/tokens, and disabled autonomous invocation for destructive actions.
If the agent misuses the key or the key is exposed, it may grant access to sensitive wallet data and high-impact wallet operations through the GANK account.
A single GANK API key is treated as a broad delegated credential for all documented wallet and trading operations.
`"apiKey": { "env": "GANK_API_KEY", "required": true, "secret": true }` ... `API keys start with pb_ and authenticate all requests.`Use a dedicated, least-privilege GANK account and API key if available, keep balances low, rotate the key after testing, and do not expose it in chat logs or shared context.
A wrong destination wallet, mistaken wallet set, or bad agent decision could affect many wallets at once rather than one isolated transaction.
The example expands one operation across all swarm wallets and then calls a destructive sweep/liquidation endpoint.
`const swarmAddresses = (walletsRes.swarm || []).map(...)` ... `// vamp all: sells tokens + closes accounts + sweeps sol` ... `source_wallets: swarmAddresses`
Require a preview of affected wallets and assets, add maximum-wallet and maximum-value limits, and require a separate confirmation before any bulk sell/sweep/close operation.
A copied or agent-implemented loop could continue trading after the initial request and sell positions based on imperfect conditions or stale assumptions.
The documentation includes a recurring autonomous trading loop that can repeatedly inspect positions and execute sells without a per-trade human prompt.
`// poll every 30 seconds` ... `setInterval(monitorAndSell, 30_000)`
Avoid unattended trading loops unless you have explicit stop conditions, session timeouts, notifications, and per-trade approval or pre-approved limits.
The static scan cannot verify how gank.dev handles wallet authority, transactions, server-side keys, or API-side safeguards.
There is no local code to inspect, and registry provenance is incomplete for a skill that directs use of a high-impact third-party financial API.
`Source: unknown` ... `Homepage: none` ... `No install spec — this is an instruction-only skill` ... `No code files present`
Verify the provider, repository, and API documentation independently before connecting funded wallets or granting an API key.