v1.0.5

FairScale Solana

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:26 AM.

Analysis

The skill mostly matches its Solana wallet-reputation purpose, but it advertises automatic paid requests from an agent wallet and under-declares credential/payment requirements.

GuidanceReview this skill before installing. Use it only if you are comfortable sending wallet-check details to FairScale, verify the correct API endpoint and header, and do not enable any x402 or wallet-funded payment flow unless you set explicit approvals and spending limits.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Human-Agent Trust Exploitation

SeverityLowConfidenceHighStatusNote

SKILL.md

Free tier: No authentication required. Rate limited by IP.

Pro/Enterprise: Include API key in header:
x-api-key: fs_your_api_key_here

Other supplied artifacts instead describe api2.fairscale.xyz and a fairkey header, with references/API.md saying all requests require a fairkey. The conflicting auth and endpoint documentation can confuse users or agents about which credential path is authoritative.

User impactA user or agent may fail calls, use the wrong endpoint/header, or provide an API key under unclear assumptions.

RecommendationConfirm the correct FairScale API host and authentication header before providing credentials, and ask the publisher to align SKILL.md, README.md, references/API.md, and registry metadata.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceMediumStatusConcern

README.md

No setup needed! If your agent has a Solana wallet with USDC, it can pay per request automatically.

- Single wallet: $0.05 USDC
- Batch (10 wallets): $0.40 USDC

This introduces delegated spending from an agent-controlled wallet for API calls. The artifacts do not show an explicit opt-in, approval gate, or spending cap, and the registry metadata declares no primary credential or required environment variables.

User impactAn agent using this skill could incur small USDC charges during wallet checks, and repeated or automated checks could accumulate cost without an obvious install-time permission boundary.

RecommendationRequire explicit user opt-in for x402 payments, declare wallet/payment requirements in metadata, and add clear per-call confirmation or budget limits before any paid request.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication

SeverityLowConfidenceHighStatusNote

SKILL.md

GET https://api.fairscale.xyz/check?wallet=ADDRESS&amount=500

The skill sends wallet addresses and transaction amounts to an external FairScale API. This is expected for reputation scoring, but it means transaction context leaves the local agent environment.

User impactFairScale can learn which wallets and transaction amounts are being checked.

RecommendationOnly submit wallet addresses, amounts, and custom rules that you are comfortable sharing with the provider; review the provider's privacy and retention terms.