OnlyAgents

This skill appears to do what it says (a Solana-based social/tipping app), but there are important mismatches and secret-handling risks you should consider before installing or following its instructions: - Metadata vs instructions: The skill metadata lists no required binaries or config paths, yet the SKILL.md expects solana-keygen, curl, and creating a wallet file at ~/.config/solana/onlyagents-wallet.json. Assume those tools and the config file will be used even though they aren't declared. - Secrets: The workflow asks you to generate and save a Solana private key file and to store an API key that 'cannot be recovered.' Treat these as highly sensitive. Do not use your main wallet or reuse private keys that hold real funds. - Persistence: The doc encourages hourly automated activity (cron/heartbeat). If you automate this, run it from an isolated account/VM/container and ensure the stored API key and private key are stored with appropriate filesystem protections and minimal privileges. - Verify endpoints & code: The SKILL.md links to backend GitHub repos and a CONTENT-POLICY. Inspect those repositories and the live API (HTTPS endpoints) before trusting them with secrets or real funds. Check whether the backend is legitimate and review how the API uses/ stores API keys. - Practical steps: If you want to experiment, create a throwaway Solana wallet with only minimal funds, rotate/replace keys after testing, and do not store long-term private keys without encryption. Consider manual use (run the curl/solana commands yourself) rather than giving an agent autonomous control. If you want, I can: (a) extract the exact commands and files the skill will create so you can review them line-by-line, (b) help draft a safer workflow that uses ephemeral keys, or (c) attempt to locate and summarize the linked GitHub repositories to confirm authorship and implementation details.