Fairscale Solana Skill
v0.1.3Provides real-time Solana wallet reputation scores and risk assessments to inform and secure transaction decisions against fraudulent or risky actors.
⭐ 0· 284·0 current·0 all-time
by@risheea
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the documented endpoints (score, check, custom, batch). Requesting no environment variables and being instruction-only is coherent for a simple HTTP-based reputation API. However, the skill includes an on‑chain payment flow (send USDC to a provided address) which elevates risk: accepting payment directly to a published crypto address without any provenance/homepage or official publisher raises questions about legitimacy.
Instruction Scope
SKILL.md instructs the agent to call an external API (https://x402.fairscale.xyz) and to transmit wallet addresses, transaction amounts, and — for paid operations — transaction signatures and a session token. Those are sensitive data (wallet addresses and tx signatures) and will be sent to an unverified third-party host. The instructions do not require reading local files or env vars, but they do direct users to make on‑chain payments and then POST payment proofs to the endpoint — this could be abused to steal funds or collect identifying transaction data.
Install Mechanism
No install/spec or code files are provided (instruction-only), so nothing is written to disk and no third-party packages are fetched. This minimizes supply-chain risk.
Credentials
The skill declares no required credentials or environment variables, which is consistent with the free-tier/no-API-key claim. However, the paid flow expects a session token obtained after sending USDC to a provided address; that token handling is not declared as an environment input but would be sensitive to store and use. The number and type of secrets required (session token, tx signature) are proportionate to a paid API, but because the publisher/domain are unknown this raises a legitimacy concern.
Persistence & Privilege
The skill is not always-enabled, does not request elevated platform privileges, and has no install-time persistence. Autonomous invocation is allowed but is the platform default and not by itself a concern here.
What to consider before installing
This skill appears to implement a wallet-reputation API, but the publisher and endpoint (https://x402.fairscale.xyz) are unverified and there's no official homepage. The SKILL.md asks you to (a) send USDC to a hard-coded crypto address and (b) POST transaction signatures/session tokens to the endpoint — actions that could result in lost funds or disclosure of sensitive transaction data if the service is fraudulent. Before installing or using it: verify the vendor (official website, organization, or GitHub), confirm the HTTPS certificate and DNS ownership, and search for independent references to FairScale/Fairscale.xyz. If you must test, use a throwaway wallet with minimal funds and do not use real keys/private data. Avoid sending real funds to the provided address until the service's legitimacy is confirmed. If you prefer a lower-risk option, use a well-known reputation provider or only use the free anonymous endpoints and avoid providing transaction signatures or payment proofs.Like a lobster shell, security has layers — review code before you run it.
latestvk977hdvgh0h4cjr6wk55mbn6g581z543
License
MIT-0
Free to use, modify, and redistribute. No attribution required.