ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

solana-payments-wallet-dev

v1.0.2

For stablecoin payment flows and wallet integrations on Solana 200x cheaper token accounts. Receive, send, balance, history, and client-side signing with Pri...

0· 374·0 current·0 all-time
by@tilo-14
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Skill name/description (Solana light-token payments and wallet integrations) matches what the SKILL.md and reference files instruct. Requested binaries (node for JS examples, cargo for Rust nullifier examples) and HELIUS_RPC_URL align with the documented examples.
Instruction Scope
Runtime instructions focus on building/structuring tasks, constructing and signing Solana transactions, and optionally using Privy for embedded signing. The skill explicitly asks to spawn read-only subagents for research (Read, Glob, Grep, DeepWiki MCP) but says to scope reads to skill references, example repos, and docs. The Privy flow will transmit secrets to Privy's API (documented and warned about).
Install Mechanism
Instruction-only skill with no install spec or external downloads; lowest install risk. It does reference 'npx skills add Lightprotocol/skills' for installing examples, which is a standard GitHub-based flow documented in SKILL.md.
Credentials
Declared required env is only HELIUS_RPC_URL (needed for RPC calls). Privy-related secrets (PRIVY_APP_ID, PRIVY_APP_SECRET, TREASURY_WALLET_ID, TREASURY_AUTHORIZATION_KEY) are described as needed only for the optional Privy signing flow — they are documented but not listed as globally required; those secrets are sensitive and will be sent to Privy's endpoints when using that flow.
Persistence & Privilege
always:false and default autonomous invocation; the skill does not request persistent or cross-skill configuration access and does not modify other skills. Subagent use is explicit and scoped in the instructions.
Assessment
This skill is internally consistent for building Solana light-token payment and wallet integrations. Before installing: 1) provide a HELIUS_RPC_URL (it often contains an API key) and treat it as a secret; 2) only supply Privy credentials if you plan to use the Privy signing examples — these are sensitive and are sent to Privy's API (review sign-with-privy.md and verify endpoints); 3) cargo is only required for Rust nullifier examples — you can skip Rust-related steps if you only use the TypeScript examples; 4) the skill may request spawning scoped read-only subagents for research — confirm you’re comfortable with those limited reads; and 5) review the referenced example repositories and Privy integration docs before running any signing or transaction-sending code. If you want lower risk, avoid supplying Privy secrets and avoid spawning subagents that access external documentation automatically.

Like a lobster shell, security has layers — review code before you run it.

latestvk9784mqymswyke9x2mfbk6t7x981vqdy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode, cargo
EnvHELIUS_RPC_URL

Comments