ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Solana

v0.1.2

Solana wallet operations - create wallets, check balances, send SOL/tokens, swap via Jupiter, launch tokens on Pump.fun

1· 2.1k·3 current·3 all-time
by@spendit-ai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the code and runtime instructions: scripts perform wallet creation, balance checks, SOL/token transfers, Jupiter quotes/swaps, and Pump.fun token launches. The two required environment variables (SOLANA_PRIVATE_KEY and JUPITER_API_KEY) are used by the scripts and are appropriate for the declared features.
Instruction Scope
SKILL.md tells the user to run the included scripts and to store/export SOLANA_PRIVATE_KEY in .env which the code reads; initialize.py will create/overwrite a .env file (it warns but will write the key to disk). The README suggests using the external binary 'solana-keygen grind' for vanity keys but the skill does not declare that binary as required — this is an informational mismatch. No instructions request unrelated files or secret stores.
Install Mechanism
This is an instruction-only skill with requirements.txt and an explicit 'pip install -r requirements.txt' in SKILL.md. There is no automated install spec (no remote downloads or archive extraction). Risk from install is typical (Python packages from PyPI).
Credentials
The only required secrets are SOLANA_PRIVATE_KEY (primary credential) and JUPITER_API_KEY; both are used by the code. The scripts also optionally use SOLANA_RPC_URL and JUPITER_API_URL (reasonable). The requested env vars are proportionate to the functionality, but SOLANA_PRIVATE_KEY grants full control of the wallet — which is expected but sensitive.
Persistence & Privilege
The skill does not request always:true or other elevated persistent privileges. It contains runnable scripts but does not modify other skills or system-wide agent config. Note: as-built, if the agent is allowed to invoke skills autonomously it could use the provided private key to send transactions — this is normal for a wallet skill but important to understand.
Assessment
This skill appears to do what it says, but it operates on your private key so treat it as high-risk: only install if you trust the code. Specific points to consider before installing: - SOLANA_PRIVATE_KEY gives full control of the wallet (can send funds). Use a throwaway wallet or one with minimal funds for testing. - initialize.py writes/overwrites a .env file in the current working directory; back up any existing .env first. - The SKILL.md suggests using 'solana-keygen grind' for vanity addresses but that binary is not declared — you must install it separately if you want that feature. - The skill will call external services: Jupiter API (requires JUPITER_API_KEY) and Solana RPC endpoints; network calls are expected for swaps and on-chain actions. - Review the pump.fun fee recipient and launch logic if you plan to use the token-launch feature — fees/recipients are hardcoded to Pump.fun program accounts. - Install Python dependencies in an isolated virtualenv and inspect the scripts locally before exporting your real private key into the environment. If you want, I can do a line-by-line review of any truncated sections of the scripts or help create a safe test procedure (devnet-only) and a guide to limit exposure (e.g., generate a new wallet, fund with minimal SOL, and test swaps on devnet).

Like a lobster shell, security has layers — review code before you run it.

latestvk97403ct4rm1bs2h42qep9aypn7zz9pr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Clawdis
EnvSOLANA_PRIVATE_KEY, JUPITER_API_KEY
Primary envSOLANA_PRIVATE_KEY

Comments