solana-payments-wallet-dev
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Solana payment and wallet development guide, but it includes real transaction-signing flows and optional Privy treasury credentials that users must handle carefully.
Install this only if you intend to build Solana payment or wallet flows. Use devnet first, pin dependencies, protect Privy and RPC secrets, and manually confirm every recipient, amount, mint, network, and signing request before using real funds.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong recipient, amount, mint, or network could result in unintended token transfers.
The examples include building and submitting token transfers. This is central to the payment/wallet purpose, but it can move funds when used with real signers.
await transferInterface(rpc, payer, sourceAta, mint, recipient, owner, amount);
Before signing or broadcasting, verify recipient, amount, mint, network, fees, and whether the transaction uses real funds.
If these secrets are exposed or over-scoped, someone could potentially authorize treasury wallet signing actions.
The Privy signing flow uses app and treasury authorization secrets to request signing through an external wallet provider. This is disclosed and purpose-aligned, but it is privileged access.
appSecret: process.env.PRIVY_APP_SECRET!, ... authorization_private_keys: [process.env.TREASURY_AUTHORIZATION_KEY!]
Use least-privileged, environment-scoped secrets, keep them out of agent-global environments, rotate them when needed, and review Privy's signing endpoint behavior before using real funds.
Dependency changes could affect transaction construction or introduce vulnerabilities in projects that use the examples.
The setup pulls third-party npm packages, including beta-tagged SDK packages. Package installation is expected for this development skill, but dependency provenance and version stability matter.
npm install @lightprotocol/compressed-token@beta @lightprotocol/stateless.js@beta @solana/web3.js @solana/spl-token
Pin exact versions, commit a lockfile, review package sources, and test on devnet before using the flow with production funds.
Reference files or project documentation could be read by a subagent/MCP workflow if the user approves that path.
The workflow can involve a subagent and MCP access. It is disclosed, read-only, and scoped to references/repos/docs, but it creates an extra data boundary users should notice.
ask to spawn a read-only subagent with `Read`, `Glob`, `Grep`, and DeepWiki MCP access, loading `skills/ask-mcp`
Approve subagent use only when needed, keep the scope limited to non-secret project documentation, and do not include private keys or secrets in readable files.