Carbium — Solana DeFi Infrastructure
ReviewAudited by ClawScan on May 10, 2026.
Overview
This is a coherent Carbium/Solana integration guide, but it uses API keys and includes examples that can sign and submit crypto trades, so only use it with wallets and keys you intend.
Before installing, verify that the Carbium domains are official, keep API keys in backend environment variables only, never expose wallet private keys, and require explicit approval for swaps, bundles, or pump-snipe examples. Test with small funds and stop long-running streams when not needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users may have less assurance that the skill is from the official Carbium publisher before using API keys or wallets.
The registry metadata does not provide a source repository or homepage, which makes independent provenance verification more important for a crypto/DeFi integration.
Source: unknown; Homepage: none
Verify the carbium.io domains and official documentation before entering keys or signing transactions.
Leaked or misused keys could consume paid quota or allow use of the user's Carbium API access.
The template reads Carbium service credentials from environment variables and uses them for provider authentication, which is expected but sensitive.
const CARBIUM_RPC_KEY = process.env.CARBIUM_RPC_KEY; const CARBIUM_API_KEY = process.env.CARBIUM_API_KEY; ... headers: { "X-API-KEY": CARBIUM_API_KEY }Keep keys server-side, restrict by IP/domain where possible, rotate exposed keys, and declare required env vars clearly in deployment settings.
If run without safeguards, the user could spend SOL on irreversible or failed trades.
The example can automatically build, sign, and submit a Solana buy transaction using the user's wallet; this is aligned with the trading-bot purpose but is financially high-impact.
const tx = await buildBuyTx(wallet, new PublicKey(mint), 50_000_000n, 55_000_000n); ... await connection.sendRawTransaction(tx.serialize(), { skipPreflight: true, maxRetries: 3 });Use test wallets first, set strict trade limits, inspect transactions, and require explicit approval before any agent-run swap or sniping flow.
A launched stream may keep consuming API quota or system resources until stopped.
The streaming sample reconnects indefinitely when run, which is normal for monitoring but creates ongoing network/API activity.
while (true) { try { await connect(); ... } catch { ... backoff = Math.min(backoff * 2, 30_000); } }Run long-lived streams under supervision, add cancellation/stop conditions, and monitor usage limits.