Cabin Sol
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: cabin-sol Version: 1.2.1 The skill bundle provides comprehensive educational content and tools for Solana development. All included scripts and markdown instructions (SKILL.md, CLAUDE.md) detail standard development practices, commands for setting up a Solana environment, building, testing, and deploying programs. While these commands involve shell execution and network interaction, they are directly aligned with the stated purpose of a 'Solana development tutor and builder' and lack any clear evidence of intentional harmful behavior such as data exfiltration, unauthorized remote control, or malicious prompt injection against the agent. The `curl` commands in `README.md` are for installing the skill itself, not for the agent to execute as part of its function, and only download files without direct execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If copied without review, these commands could deploy to Solana mainnet and spend real SOL.
The skill documents a mainnet deployment workflow that can spend real funds and publish a program. This is purpose-aligned for a Solana development tutor and is disclosed, but users should intentionally confirm network, wallet, and costs before running it.
# Mainnet (costs ~2-5 SOL) solana config set --url mainnet-beta anchor deploy --provider.cluster mainnet
Use devnet or localnet while learning, verify the active Solana cluster and wallet, and only deploy to mainnet after reviewing cost and program behavior.
Transactions may be signed with the user's configured Solana wallet or development keypair.
The examples use Anchor providers and signers to submit transactions. This is expected for Solana development, but it means user wallet authority may be involved when examples are adapted or run.
const provider = anchor.AnchorProvider.env(); anchor.setProvider(provider); ... .signers([account]) .rpc();
Keep learning wallets separate from funded wallets, check which keypair/provider is active, and avoid using mainnet credentials for tests.
Running the command executes a script fetched from the internet on the user's machine.
The challenge documentation includes a user-directed remote installer command for the Metaplex Sugar CLI. This fits the NFT tutorial purpose, but remote installer provenance should be checked before execution.
bash <(curl -sSf https://sugar.metaplex.com/install.sh)
Inspect remote install scripts or use official package-manager instructions before running them, especially on machines with wallets or private keys.