Solana
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or autonomous invocation could transfer real funds irreversibly from the configured wallet.
The send command signs and broadcasts a Solana transaction immediately, explicitly skipping preflight, with no visible confirmation prompt or spending cap in the script.
opts = TxOpts(skip_preflight=True, preflight_commitment=Confirmed) result = client.send_transaction(tx, opts=opts)
Use only a dedicated low-balance wallet, require explicit user confirmation for every spend/swap/launch, avoid skip-preflight by default, and set amount/network limits.
Anyone or any agent process with access to this environment variable can spend from the configured Solana wallet.
The skill clearly requires a private key that can authorize wallet actions. This is expected for a wallet skill, but it gives the agent authority over funds in that wallet.
`SOLANA_PRIVATE_KEY` | Base58-encoded private key (required) |
Do not use a primary wallet. Create a separate wallet with limited funds, protect the .env file, and rotate the key if it may have been exposed.
Using this guidance could mislead token buyers or create reputational/legal risk for the user.
The wording frames vanity token addresses as a way to appear more legitimate, which can support misleading public presentation of launched tokens.
Use vanity addresses ending in 'pump' for more legit-looking tokens.
Avoid deceptive token presentation. Token launch instructions should emphasize accurate disclosure, compliance, and user review of all public-facing metadata.
Future installs may pull different dependency versions, which can affect wallet behavior or supply-chain risk.
Dependencies are installed from package names with lower-bound versions rather than pinned exact versions or a lockfile.
solana>=0.34.0 solders>=0.21.0 base58>=2.1.0 python-dotenv>=1.0.0 aiohttp>=3.9.0
Pin exact dependency versions, use a lockfile, and install in an isolated virtual environment.