OpenDEX Solana Token API
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: opendex Version: 1.0.0 The skill bundle consists of standard metadata and a `SKILL.md` file that purely describes the OpenDex API for Solana token data. The markdown content is a straightforward API specification, lacking any prompt injection attempts against the AI agent, malicious execution instructions, data exfiltration commands, persistence mechanisms, or obfuscation. While the API handles sensitive data like Solana wallet addresses and API keys, the skill itself merely documents these interactions without exhibiting malicious intent or instructing the agent to misuse such data.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this endpoint could change OpenDEX sentiment data associated with a wallet address.
The skill documents a state-changing API call that can cast a public sentiment vote using a wallet address. This is purpose-aligned, but users should ensure the agent only performs it when explicitly requested.
POST /api/sentiment/:mint ... { "wallet": "<WALLET>", "sentiment": "bullish" } ... No token holder requirement.Require explicit user approval before POST, DELETE, voting, submission, or other state-changing API calls.
Sharing or mishandling the API key could allow someone else to use the user's OpenDEX API access.
The skill uses an API key tied to a Solana wallet address for authenticated OpenDEX endpoints. This is expected for the integration, but it is credential and identity-related access.
Community content endpoints under `/api/v1/` require an API key passed via the `X-API-Key` header. ... Register a free API key by sending a POST request with a Solana wallet address.
Only create or provide an API key when needed, store it securely, do not share seed phrases or private keys, and revoke the API key if it is exposed.
Users have less provenance information for deciding whether to trust the OpenDEX service endpoint.
The registry metadata does not provide a verified source or homepage, even though the skill directs users to an external API service.
Source: unknown; Homepage: none
Verify the service identity and endpoint before sending wallet addresses or API keys.
Token queries, wallet addresses, and API keys may be visible to the OpenDEX API operator.
The skill routes API requests and credentials to an external provider endpoint. This is disclosed and central to the skill, but users should understand the data boundary.
Base URL ... https://opendex-api-dy30.onrender.com ... Include the key in the `X-API-Key` header
Use only the intended OpenDEX endpoint, avoid sending unnecessary wallet information, and treat API keys as secrets.