ClawHub

solana-token-distribution

v1.0.1

For token distribution on Solana 5000x cheaper than SPL (rewards, airdrops, depins, ...). @lightprotocol/compressed-token (TypeScript). Reference examples fo...

0· 336·0 current·0 all-time
by@tilo-14
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (compressed-token airdrops) align with the declared requirements: node and HELIUS_API_KEY. The SKILL.md examples call Helius RPC endpoints and @lightprotocol libraries, which matches the stated purpose. Note: the registry lists no homepage and the skill source is 'unknown' in the registry metadata, while SKILL.md contains a GitHub metadata URL — provenance is plausible but not confirmed by the registry.
Instruction Scope
SKILL.md is an instruction-only guide with TypeScript examples for building, batching, and sending compressed-token transactions. The runtime instructions reference creating/signing transactions (requiring a payer key), using process.env.HELIUS_API_KEY (declared), and suggest spawning subagents with Read/Glob/Grep and DeepWiki MCP access when stuck. That subagent guidance could broaden read access if executed by an agent, so scope and data access should be limited to repo/docs only. The instructions do not directly request arbitrary system files, but they do require the user provide/sign with a private key (not declared as an env var).
Install Mechanism
No install spec and no code files to execute were provided by the skill bundle (instruction-only). This is low-risk from an install perspective because nothing is downloaded or written by the skill itself.
Credentials
The single required env var (HELIUS_API_KEY) is appropriate for using Helius RPC endpoints referenced in the examples. However, transaction signing requires a payer secret key; the skill does not declare a wallet secret env var but examples show Keypair.fromSecretKey(/* your key */). Users should not paste private keys into untrusted inputs — providing a signing key is necessary for operation but is sensitive and must be handled out-of-band or via secure signing.
Persistence & Privilege
The skill does not request always:true or other elevated persistence. It is user-invocable and allows model invocation (the platform default). There is no install step that modifies system or other skills' configs.
Assessment
This skill appears to be a legitimate guide for compressed-token airdrops and only requires a Helius RPC key and Node to run the provided TypeScript examples. Before using it: (1) verify the skill's source (follow the GitHub links in the SKILL.md) and test on devnet first; (2) never paste your wallet private key into a chat or untrusted UI — use a secure signing method or hardware wallet; (3) restrict or rotate your Helius API key if you decide to use it, and avoid giving broader credentials than required; (4) if the agent spawns subagents or reads files, confirm the scope (limit to docs/repos) so it doesn't access unrelated local data. If you need higher assurance, request the actual code files from the publisher or run the examples locally in an isolated environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk970rmawxsnbb0bf1p256hsbwd81th5t

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsnode
EnvHELIUS_API_KEY

Comments