ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Solana Sniper Bot

v1.0.0

Autonomous Solana token sniper and trading bot. Monitors new token launches on Raydium/Jupiter, evaluates rugpull risk with LLM analysis, auto-buys promising launches, and manages exit strategies. Use when user wants to snipe Solana token launches, trade memecoins, monitor new Solana pairs, or build a Solana trading bot. Supports cron-based monitoring, take-profit/stop-loss, and portfolio tracking.

0· 1.2k·0 current·0 all-time
by@srikanthbellary
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (Solana sniper/trading bot) aligns with what the files do: monitoring Raydium pools, assessing tokens, calling an LLM for risk scoring, and executing swaps via Jupiter. Required env vars (SOLANA_PRIVATE_KEY and LLM_API_KEY) are expected for signing trades and calling the LLM.
Instruction Scope
SKILL.md and scripts instruct the agent to install Python deps, place/run the sniper script, create a .env containing the private key and LLM key, poll Raydium/Jupiter RPCs, send token metadata to Anthropic, and perform swaps. All actions stay within the trading/sniping scope, but they require storing a private key in .env and running a long‑running agent that can autonomously sign/send transactions.
Install Mechanism
setup.sh runs pip install of specific packages from PyPI (no obscure downloads). This is expected for a Python tool, but the installer runs pip globally unless a venv is used — note the usual supply-chain and system-impact concerns for pip installs.
!
Credentials
Only two env vars are required (SOLANA_PRIVATE_KEY and LLM_API_KEY), which are relevant. However, SOLANA_PRIVATE_KEY is extremely sensitive (full control of on‑chain funds). Requesting it is proportionate to the bot's purpose but carries high privilege — the user must understand the financial risk of providing a hot private key to software.
Persistence & Privilege
Skill does not request always:true and does not modify other skills or system configs. It will run as a long‑running/cron process and can autonomously invoke network calls and sign transactions — normal for this use case but increases blast radius if misused or compromised.
Assessment
This skill appears to do what it claims, but it requires your wallet private key and will autonomously sign and send trades. Before installing: (1) Do not use your main wallet — create a dedicated funding wallet with only the funds you can afford to lose. (2) Inspect the code yourself (or have someone you trust do so); the repo is plain Python and uses known APIs. (3) Run inside an isolated environment (container or VM) and use a Python virtualenv to avoid global pip installs. (4) Consider running on Solana devnet/testnet first to validate behavior. (5) Limit the bot's privileges: prefer a wallet/signing setup that avoids exposing a raw long‑term private key if possible (hardware or remote signer), or rotate the private key after testing. (6) Monitor logs and network activity; be aware that any compromise of the environment or LLM key could affect decisions or leak operational metadata. If you are not comfortable exposing a hot private key, do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk97f4kvqqyypf8k7wx53k3d7dx80zy11

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvSOLANA_PRIVATE_KEY, LLM_API_KEY
Primary envLLM_API_KEY

Comments