solana-compression-dev
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Solana development reference skill with no included executable code, but it can involve local project edits, external package installs, RPC providers, an API key, and a Solana keypair when used on live networks.
Before installing, treat this as a Solana development helper rather than a passive reference: use a dedicated low-balance keypair, keep API keys private, prefer localnet/devnet until you are ready, and review any package install, file edit, deployment, or transaction-signing step before allowing it.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a funded mainnet keypair, generated commands or client code could spend fees or mutate Solana account state.
The skill discloses that it may use an RPC provider API key and the user's Solana keypair for devnet/mainnet work. That is purpose-aligned, but it grants transaction-signing authority.
requires:
env: ["API_KEY"] # Helius or Triton RPC key; only needed for devnet/mainnet
config: ["~/.config/solana/id.json"] # Solana keypair; only needed for devnet/mainnetUse localnet or devnet by default, use a low-balance development keypair, and explicitly review any transaction or deployment before signing on mainnet.
The agent may modify source files or run build/test/CLI commands when helping with a project.
The skill can run development commands and edit files. These capabilities fit a Solana development workflow, but they can change a project or interact with local tooling.
allowed-tools: Bash(git:*), Bash(cargo:*), Bash(anchor:*), Bash(light:*), Read, Edit, Glob, Grep, Write, Task, WebFetch, WebSearch, mcp__deepwiki__ask_question
Review proposed file edits and shell commands, especially deploy or transaction-related commands, before allowing them to run.
Installing external developer packages can introduce normal dependency supply-chain risk.
The reference documentation includes a user-directed global npm install for the Light ZK Compression CLI. This is expected for the skill's purpose, but it depends on external package provenance.
npm install -g @lightprotocol/zk-compression-cli
Install packages from trusted registries, consider pinning versions, and avoid running global installs in sensitive environments without review.
External RPC providers may receive API-key-authenticated requests and Solana account/proof query metadata.
The client guide shows connecting to an external RPC provider with an API key. This is disclosed and expected for ZK Compression proof and account queries.
const rpc = createRpc('https://mainnet.helius-rpc.com/?api-key=YOUR_API_KEY');Use trusted RPC providers, keep API keys private, and prefer devnet/localnet for testing.