Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
solana-compression
v0.6.0Build with ZK Compression on Solana using Light Protocol. Use when creating compressed tokens, compressed PDAs, or integrating ZK compression into Solana pro...
⭐ 0· 33·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the SKILL.md content: examples, Rust/TypeScript snippets, and references all focus on ZK compression, compressed tokens/PDAs and Light Protocol/Helius Photon RPC. Nothing in the instructions requests unrelated access (no AWS, unrelated cloud creds, etc.). However, the skill has no declared source or homepage (provenance unknown), which reduces trust even though the capability alignment is correct.
Instruction Scope
The runtime instructions stay within the stated domain: installing Light Protocol SDKs/CLI, starting a local compression-aware validator, fetching validity proofs from indexers, building transactions, and using Helius/Photon RPC. The instructions do not ask the agent to read arbitrary local files or system credentials. They do recommend installing and running third‑party CLIs (npm -g) and connecting to external RPC endpoints, which is expected for this domain but worth caution.
Install Mechanism
The skill bundle itself has no install spec and contains only docs (lowest platform risk). The SKILL.md recommends npm installs (including a global CLI) and Cargo dependencies; these are normal for development but will execute code delivered from npm/crates.io when followed. Because there is no declared source/homepage or package links in registry metadata, you cannot easily verify the exact packages or publisher before running installs.
Credentials
The skill metadata declares no required environment variables, but the instructions and examples repeatedly reference API keys/endpoints (e.g., Helius API_KEY, createRpc('https://...helius-rpc.com?api-key=YOUR_KEY'), and custom Photon endpoints). Requiring RPC/API keys is proportionate to the purpose, but it's an inconsistency that the registry metadata did not declare any primaryEnv or required env vars — users should expect to supply network API keys to use the SDKs.
Persistence & Privilege
No elevated persistence requested: always:false, no config paths, and the skill is instruction-only so it does not install persistent agents or modify other skills. The only persistent effects would come from following the SKILL.md (installing npm packages / global CLI), which is normal for developer tooling.
What to consider before installing
This skill appears to be exactly about Light Protocol / ZK compression on Solana and the README content is consistent with that purpose, but: (1) the registry entry provides no source repo or homepage — you cannot verify authors or package integrity from this listing; (2) the docs expect you to install npm/Cargo packages and provide RPC/API keys (Helius/Photon) but the skill metadata doesn't declare required env vars. Before using: verify the NPM and crate package names and publishers (search npmjs.org and crates.io and confirm GitHub repos), prefer pinned versions, inspect the CLI package source code, run installs in an isolated environment (container or VM), and avoid pasting production API keys into unfamiliar toolchains. If you can provide a source repo, homepage, or official package links, re-run this assessment — that would raise confidence.Like a lobster shell, security has layers — review code before you run it.
latestvk970ak2aqbqwjybts0tha3069d845tb7
License
MIT-0
Free to use, modify, and redistribute. No attribution required.