Back to skill
Skillv1.0.4
ClawScan security
solana-compression-dev · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 6:44 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requested tools, files, and environment variables line up with its stated purpose of developing and testing compressed Solana PDAs; nothing in the instructions appears to ask for unrelated access or hidden endpoints.
- Guidance
- This skill appears coherent for Solana compressed-PDA development, but take standard precautions: only provide an API_KEY for a trusted RPC provider (Helius/Triton) and avoid pointing the skill at a mainnet keypair with significant funds—use a devnet/local keypair when experimenting. Verify the referenced GitHub repositories and the Lightprotocol docs if you need assurance of provenance. Because the skill can run developer CLIs and fetch web resources, run it in an isolated/dev environment if you are unsure, and do not grant unrelated secrets or system access.
Review Dimensions
- Purpose & Capability
- okName/description (compressed PDAs, Light System Program, ZK compression) match the required binaries (solana, anchor, cargo, node, light) and the documented need for an RPC API key and a Solana keypair. The declared config path (~/.config/solana/id.json) and API_KEY are appropriate for devnet/mainnet workflows described in the docs.
- Instruction Scope
- okSKILL.md instructs the agent to fetch validity proofs from RPC providers (Helius/Triton), derive addresses, pack accounts, and read the Solana keypair; these actions are within the scope of building & testing compressed PDA programs. The instructions do not direct the agent to read unrelated system files or to exfiltrate data to unexpected endpoints; external network calls are to documented RPC and GitHub resources.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or archive downloads. That minimizes disk write execution risk; required binaries are assumed present on PATH and are standard developer tools for Rust/Solana development.
- Credentials
- okThe single required env var (API_KEY) is justified (RPC provider key for fetching validity proofs). The required config path is the Solana keypair file, which is needed to sign transactions/tests. No unrelated credentials or numerous secrets are requested.
- Persistence & Privilege
- okalways:false and no install hooks are present. The skill does not request persistent system-wide privileges or modifications to other skills. Autonomous invocation is allowed but is the platform default; nothing else increases its privilege.