Solana Dev

PassAudited by ClawScan on May 1, 2026.

Overview

This is a documentation-only Solana development helper with no code, install steps, or credential access, though users should verify its official-sounding claims and optional setup commands.

This skill appears safe as an instruction-only Solana development guide. Before relying on it for fund-moving wallet or transaction code, verify recommendations with official Solana sources, use devnet/testnet for testing, and review any npm/cargo setup commands before running them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI09: Human-Agent Trust Exploitation

What this means

Users might treat the advice as officially endorsed or more authoritative than the provided registry metadata proves.

Why it was flagged

These authority/provenance statements could make a user over-trust the guidance; they are wording-level trust claims, not evidence of hidden execution or data access.

Skill content

**Official Solana Foundation skill for AI agents** ... This makes my technical reviews way more authoritative!

Recommendation

Verify important Solana security or transaction guidance against official Solana documentation, and remove or qualify personal/authority claims if publishing this skill broadly.

Info

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

Some referenced guidance may be unavailable or unreviewed in this package.

Why it was flagged

The skill references local companion documents that are not present in the supplied 7-file manifest, creating an incomplete documentation/provenance gap rather than executable risk.

Skill content

Kit ↔ web3.js boundary: [kit-web3-interop.md](kit-web3-interop.md) ... IDLs + codegen: [idl-codegen.md](idl-codegen.md) ... Payments: [payments.md](payments.md)

Recommendation

Treat missing local references as absent, and consult verified upstream documentation before relying on them.

Info

#ASI05: Unexpected Code Execution

What this means

Running suggested package commands can install and execute third-party tooling in a project environment.

Why it was flagged

These are package installation/run commands for Solana testing tools. They are user-directed and purpose-aligned, but users should review commands before running them.

Skill content

**Setup**: `cargo add --dev litesvm` or `npm i --save-dev litesvm` ... `cargo install surfpool` → `surfpool start`

Recommendation

Run setup commands only in the intended project environment and review the referenced packages/tools before installation.