ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

solana-light-token-client

v1.0.6

For client development with tokens on Solana, Light Token is 200x cheaper than SPL and has minimal changes. Skill includes guides for create mints, associate...

0· 406·0 current·0 all-time
by@tilo-14
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (Light Token client cookbook) align with required binaries (node, cargo) and examples in TypeScript and Rust. Requiring an RPC API key and a Solana keypair file (~/.config/solana/id.json) is consistent with creating/signing transactions against devnet/mainnet.
Instruction Scope
The SKILL.md and reference files include example code that reads your Solana keypair from ~/.config/solana/id.json and uses process.env.API_KEY for RPC access. The workflow also instructs spawning read-only subagents (Read, Glob, Grep) scoped to documentation and example repos — which is reasonable for research but still grants filesystem read capability if allowed. This skill explicitly instructs reading a sensitive private key file to sign transactions; that behavior is expected for the stated purpose but is sensitive and should be limited to test keys or secrets-managed keys.
Install Mechanism
Instruction-only skill with no install spec or downloads. No code is installed on disk by the skill itself, lowering supply-chain risk.
Credentials
Only API_KEY is required (Helius/Triton RPC key) and the Solana keypair path is requested — both are justified for interacting with networks and signing transactions. These are sensitive credentials; the SKILL.md recommends storing them in a secrets manager for production. No unrelated credentials are requested.
Persistence & Privilege
always:false and no install hooks or modifications to other skills are present. The skill does not request permanent elevated platform privileges.
Assessment
This skill is a cookbook for building and running Light Token client code and is internally coherent. However, it explicitly reads your Solana private key file (~/.config/solana/id.json) and requires an RPC API_KEY — both are sensitive. Before installing or running: (1) Verify the skill's upstream repository and documentation (metadata lists https://github.com/Lightprotocol/skills and https://www.zkcompression.com). (2) Do not provide your production/mainnet keypair or high-value accounts — use ephemeral/devnet keys or keys stored in a secrets manager. (3) Restrict the agent's filesystem/network permissions if possible; the instructions encourage spawning subagents that can read files (Read/Glob/Grep) — ensure those subagents are scoped. (4) Rotate RPC keys after testing and avoid hardcoding secrets. (5) If you need stronger assurance, request the full upstream source (real repo) and verify code examples against the official Lightprotocol examples repository before giving the skill access to your keys or mainnet RPC.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b8471wzgktfhcge17nn0jx581vdy4

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, cargo
EnvAPI_KEY
Config~/.config/solana/id.json

Comments