Solana Connect
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This Solana skill is purpose-aligned but needs review because it can handle wallet private keys and send real blockchain transactions while also advertising stronger key protection and human confirmation than the code actually enforces.
Review carefully before installing. Use only testnet or low-value wallets unless you have an external approval/signing process. Do not give the agent a real private key unless you are comfortable with it being used to sign transactions, and avoid enabling dryRun: false or skipConfirmation without separate human control.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill may need access to a wallet private key, which could allow it to sign and send transactions from that wallet.
The skill claims private keys are never exposed to the agent, but the documented API passes a privateKey variable directly into the transaction function.
"Private Key Protection" - Keys never exposed to agent ... const tx = await sendSol(privateKey, toAddress, 0.5, { dryRun: false, skipConfirmation: true });Do not provide valuable wallet private keys directly to this skill. Prefer a wallet adapter, signing vault, hardware wallet, limited testnet key, or a design where the agent submits unsigned transactions for separate human approval.
A mistaken or autonomous invocation could send real SOL, including on mainnet, without a separate human confirmation step.
The human-confirmation guard is bypassed whenever skipConfirmation is true, and the code then submits a real signed transaction to the Solana RPC endpoint.
if (amount >= REQUIRE_HUMAN_CONFIRMATION && !skipConfirmation && dryRun === false) { throw new Error(...) } ... const txSignature = await connection.sendRawTransaction(transaction.serialize());Require explicit user approval outside the agent before dryRun is disabled, remove or tightly restrict skipConfirmation, and use low transaction limits, allowlisted recipients, and testnet-only keys by default.
Users may trust the skill more than they should and provide a real wallet key believing the agent cannot access or use it directly.
The documentation makes a strong safety claim, but the API reference shows the transaction function accepts the private key as an argument.
**Private keys are NEVER exposed to the agent.** ... sendSol(privateKey, toAddress, amount, options)
Update the documentation to accurately describe private-key handling, declare the credential requirement, and clearly warn that the agent/runtime receives key material when these functions are used.
The RPC provider can observe queried wallet addresses and submitted signed transactions, which is expected for Solana use but still privacy-relevant.
The skill communicates with a configured external Solana RPC provider for balances, transaction history, simulation, and transaction submission.
const DEFAULT_RPC = process.env.SOLANA_RPC_URL || 'https://api.testnet.solana.com'; ... return new Connection(rpcUrl, 'confirmed');
Use a trusted RPC endpoint, avoid querying sensitive wallets through untrusted providers, and keep mainnet and testnet configurations clearly separated.
A future dependency resolution could install newer package versions than the reviewed code was tested with if the lock file is not used.
The dependencies are purpose-aligned, but package.json uses semver ranges; users should ensure installation honors the reviewed lock file.
"dependencies": { "@solana/web3.js": "^1.98.0", "bs58": "^6.0.0", "tweetnacl": "^1.0.3" }Install from the reviewed package with its lock file, or pin exact dependency versions in the install metadata.