Solana Scam Detector
v1.0.2Detect scam tokens on Solana before you trade. Checks ticker patterns, token age, and known scam mints. Read-only — no wallet signing required.
⭐ 0· 88·0 current·0 all-time
by@ammkode
Security Scan
OpenClaw
Benign
high confidencePurpose & Capability
Name/description match the included code and instructions: the module performs ticker pattern checks, minted-address checks, and token-age checks via Solana RPC. Required runtime (node and @solana/web3.js) is appropriate for this purpose.
Instruction Scope
SKILL.md and the code keep to read-only operations (getSignaturesForAddress) and explicitly forbid requesting wallet keys or other sensitive user data. Minor note: the agent is allowed/encouraged to ask the user for RPC_URL and to let the user add blacklist entries; these are reasonable but give the agent discretion to prompt for values which could contain user-specific endpoints or identifiers.
Install Mechanism
This is instruction-only (no automated install spec). The README/SKILL.md instructs running `npm install @solana/web3.js`. That is a standard, expected dependency, but running npm install pulls third-party packages — users should vet dependencies before installing in a sensitive environment.
Credentials
No credentials or environment secrets are required. An optional RPC_URL may be supplied; using the default public RPC (https://api.mainnet-beta.solana.com) is functional but may expose the user's IP and query patterns to the RPC provider. The optional env usage is proportional but should be understood by users concerned about privacy.
Persistence & Privilege
Skill does not request persistent privileges, does not set always:true, and does not modify other skills or system configuration. The addToBlacklist function mutates in-memory arrays only (no disk persistence).
Assessment
This skill appears to do what it claims: read-only checks against Solana RPC. Before installing or running it, consider: (1) Use a trusted/private RPC endpoint if you care about privacy — public RPCs can see your IP and queries. (2) Inspect/confirm the dependency @solana/web3.js and run npm installs in a sandbox/container if unsure. (3) The skill will not ask for wallet keys or send transactions, but the agent may prompt you to provide RPC_URL or to add blacklist items — avoid pasting any secrets into prompts. (4) If you plan to let the agent invoke this autonomously, remember autonomous invocation is allowed by default; consider limiting that if you prefer manual control.Like a lobster shell, security has layers — review code before you run it.
Runtime requirements
Binsnode
latest
Solana Scam Detector
Read-only scam detection for Solana tokens. No wallet signing required.
What It Does
- Token Age Check — Flags tokens younger than threshold
- Ticker Pattern Check — Flags fake stock tokens (META, AAPL, etc.)
- Mint Blacklist — Check against known scam mints
Read-Only
This module only reads blockchain data. It does NOT:
- ❌ Require wallet key file
- ❌ Require Telegram ID
- ❌ Store trade history
- ❌ Send any transactions
Installation
npm install @solana/web3.js
Configuration
Required: None (uses default public RPC)
Optional (agent can ask user):
RPC_URL— Custom RPC endpoint (default: public RPC)MIN_TOKEN_AGE_HOURS— Minimum hours (default: 4)
Usage
const { checkTokenSafety, isValidSolanaAddress } = require('./lib/scam_check.js');
// Validate address first
if (!isValidSolanaAddress(mint)) {
console.log('Invalid address');
return;
}
// Check token
const result = await checkTokenSafety(mint, symbol);
console.log(result);
// { safe: true, issues: [], config: {...} }
Agent Instructions
Keep it simple — this is read-only:
- Use default public RPC or ask user for their RPC URL
- Optionally ask user for MIN_TOKEN_AGE_HOURS preference
- Optionally allow user to add to BLACKLIST_EXACT / BLACKLIST_MINTS
- Never ask for wallet key, Telegram ID, or trade history
Files
lib/scam_check.js— Main detection logic (read-only)lib/config.js— Minimal config (RPC URL only)SKILL.md— This file
Comments
Loading comments...