ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

solana-light-sdk

v1.0.1

For Solana program development with tokens and PDAs, Light is 200x cheaper than SPL/ Solana and has minimal code differences (e.g. for any Solana program and...

0· 371·0 current·0 all-time
by@tilo-14
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Light SDK for rent-free PDAs, tokens, DeFi integration) matches the content of SKILL.md and reference files. Required binaries (cargo, anchor, node) are appropriate for building/testing Anchor/Pinocchio programs and TypeScript tests. No unrelated credentials or config paths are requested.
Instruction Scope
The SKILL.md and reference files are detailed developer guidance and code examples. They instruct agent workflows (AskUserQuestion, spawn subagents, use Task/Skill/Read/Glob/Grep and DeepWiki MCP) which could lead the agent to read repository files or other project files when run. The docs also include example network usage (posting bundles to a Jito endpoint and sending tip transfers) — these are examples, not direct runtime calls by the skill itself, but following them would involve network access and wallet operations. Overall the instructions stay within the development/documentation scope, but they grant the agent broad discretion to read project files and spawn subagents.
Install Mechanism
No install spec and no code files to write/execute are included — this is instruction-only. That is the lowest-risk install mechanism and consistent with the skill being documentation and examples only.
Credentials
The skill requests no environment variables or credentials. Example code references sending transactions and using payer keys (expected for Solana dev), but the skill does not ask for secrets itself. If you run examples locally you will need wallet keys, but that is outside the skill's declared requirements.
Persistence & Privilege
always is false and the skill does not request persistent system presence or modify other skills. disable-model-invocation is default (agent may call it autonomously), which is typical and not by itself concerning given the other dimensions.
Assessment
This skill is documentation-only and appears coherent for Solana Light SDK development: it does not request secrets or install code. Before using: (1) ensure you have the declared tools (cargo, anchor, node) and run any build/test commands in a safe/dev environment; (2) review network examples (Jito bundle endpoint and hard-coded tip accounts) — those are illustrative and would involve sending real transactions if you follow them; never provide private keys or wallets to the skill itself; (3) be aware the workflow suggests spawning subagents that can read files (Read/Glob/Grep) and access DeepWiki MCP — grant those capabilities only if you trust the agent environment and want the agent to scan your repository; (4) if you plan to run example transactions, audit the code and endpoints first and run on testnet or a sandboxed environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk970wvspp0z3b612xnhyewb8js81v2vk

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, cargo, anchor

Comments