OpenDEX Solana Token API
PassAudited by ClawScan on May 1, 2026.
Overview
The skill is a coherent instruction-only OpenDEX API reference, but it involves an external service, wallet-linked API keys, and state-changing token actions that users should approve deliberately.
This skill appears reasonable for OpenDEX API lookups. Before installing, decide whether you trust the OpenDEX endpoint, only provide wallet addresses or API keys when necessary, store any API key securely, and require clear confirmation before the agent casts sentiment votes, records views, submits content, revokes keys, or performs other state-changing actions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this endpoint could change OpenDEX sentiment data associated with a wallet address.
The skill documents a state-changing API call that can cast a public sentiment vote using a wallet address. This is purpose-aligned, but users should ensure the agent only performs it when explicitly requested.
POST /api/sentiment/:mint ... { "wallet": "<WALLET>", "sentiment": "bullish" } ... No token holder requirement.Require explicit user approval before POST, DELETE, voting, submission, or other state-changing API calls.
Sharing or mishandling the API key could allow someone else to use the user's OpenDEX API access.
The skill uses an API key tied to a Solana wallet address for authenticated OpenDEX endpoints. This is expected for the integration, but it is credential and identity-related access.
Community content endpoints under `/api/v1/` require an API key passed via the `X-API-Key` header. ... Register a free API key by sending a POST request with a Solana wallet address.
Only create or provide an API key when needed, store it securely, do not share seed phrases or private keys, and revoke the API key if it is exposed.
Users have less provenance information for deciding whether to trust the OpenDEX service endpoint.
The registry metadata does not provide a verified source or homepage, even though the skill directs users to an external API service.
Source: unknown; Homepage: none
Verify the service identity and endpoint before sending wallet addresses or API keys.
Token queries, wallet addresses, and API keys may be visible to the OpenDEX API operator.
The skill routes API requests and credentials to an external provider endpoint. This is disclosed and central to the skill, but users should understand the data boundary.
Base URL ... https://opendex-api-dy30.onrender.com ... Include the key in the `X-API-Key` header
Use only the intended OpenDEX endpoint, avoid sending unnecessary wallet information, and treat API keys as secrets.