ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

solana-compression-dev

v1.0.4

For client and program development on Solana ~160x cheaper and without rent-exemption for per-user state, DePIN registrations, or custom compressed accounts....

0· 409·0 current·0 all-time
by@tilo-14
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (compressed PDAs, Light System Program, ZK compression) match the required binaries (solana, anchor, cargo, node, light) and the documented need for an RPC API key and a Solana keypair. The declared config path (~/.config/solana/id.json) and API_KEY are appropriate for devnet/mainnet workflows described in the docs.
Instruction Scope
SKILL.md instructs the agent to fetch validity proofs from RPC providers (Helius/Triton), derive addresses, pack accounts, and read the Solana keypair; these actions are within the scope of building & testing compressed PDA programs. The instructions do not direct the agent to read unrelated system files or to exfiltrate data to unexpected endpoints; external network calls are to documented RPC and GitHub resources.
Install Mechanism
This is an instruction-only skill with no install spec or archive downloads. That minimizes disk write execution risk; required binaries are assumed present on PATH and are standard developer tools for Rust/Solana development.
Credentials
The single required env var (API_KEY) is justified (RPC provider key for fetching validity proofs). The required config path is the Solana keypair file, which is needed to sign transactions/tests. No unrelated credentials or numerous secrets are requested.
Persistence & Privilege
always:false and no install hooks are present. The skill does not request persistent system-wide privileges or modifications to other skills. Autonomous invocation is allowed but is the platform default; nothing else increases its privilege.
Assessment
This skill appears coherent for Solana compressed-PDA development, but take standard precautions: only provide an API_KEY for a trusted RPC provider (Helius/Triton) and avoid pointing the skill at a mainnet keypair with significant funds—use a devnet/local keypair when experimenting. Verify the referenced GitHub repositories and the Lightprotocol docs if you need assurance of provenance. Because the skill can run developer CLIs and fetch web resources, run it in an isolated/dev environment if you are unsure, and do not grant unrelated secrets or system access.

Like a lobster shell, security has layers — review code before you run it.

latestvk974p3sdvhhk8anpx1m5n2a4e981t613

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, solana, anchor, cargo, light
EnvAPI_KEY
Config~/.config/solana/id.json

Comments