Back to skill
Skillv1.0.2
ClawScan security
solana-payments-wallet-dev · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 6:19 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are coherent with a Solana payments/wallet integration toolkit; optional signing flows require additional secrets and spawn scoped read-only subagents, but there is no evidence of hidden or unrelated access requests.
- Guidance
- This skill is internally consistent for building Solana light-token payment and wallet integrations. Before installing: 1) provide a HELIUS_RPC_URL (it often contains an API key) and treat it as a secret; 2) only supply Privy credentials if you plan to use the Privy signing examples — these are sensitive and are sent to Privy's API (review sign-with-privy.md and verify endpoints); 3) cargo is only required for Rust nullifier examples — you can skip Rust-related steps if you only use the TypeScript examples; 4) the skill may request spawning scoped read-only subagents for research — confirm you’re comfortable with those limited reads; and 5) review the referenced example repositories and Privy integration docs before running any signing or transaction-sending code. If you want lower risk, avoid supplying Privy secrets and avoid spawning subagents that access external documentation automatically.
Review Dimensions
- Purpose & Capability
- okSkill name/description (Solana light-token payments and wallet integrations) matches what the SKILL.md and reference files instruct. Requested binaries (node for JS examples, cargo for Rust nullifier examples) and HELIUS_RPC_URL align with the documented examples.
- Instruction Scope
- noteRuntime instructions focus on building/structuring tasks, constructing and signing Solana transactions, and optionally using Privy for embedded signing. The skill explicitly asks to spawn read-only subagents for research (Read, Glob, Grep, DeepWiki MCP) but says to scope reads to skill references, example repos, and docs. The Privy flow will transmit secrets to Privy's API (documented and warned about).
- Install Mechanism
- okInstruction-only skill with no install spec or external downloads; lowest install risk. It does reference 'npx skills add Lightprotocol/skills' for installing examples, which is a standard GitHub-based flow documented in SKILL.md.
- Credentials
- noteDeclared required env is only HELIUS_RPC_URL (needed for RPC calls). Privy-related secrets (PRIVY_APP_ID, PRIVY_APP_SECRET, TREASURY_WALLET_ID, TREASURY_AUTHORIZATION_KEY) are described as needed only for the optional Privy signing flow — they are documented but not listed as globally required; those secrets are sensitive and will be sent to Privy's endpoints when using that flow.
- Persistence & Privilege
- okalways:false and default autonomous invocation; the skill does not request persistent or cross-skill configuration access and does not modify other skills. Subagent use is explicit and scoped in the instructions.