Back to skill
Skillv1.0.1
ClawScan security
solana meme token analyzer · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 7:28 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill does what it claims (analyze Solana token holder distributions and detect low-SOL 'insider' wallets); the included code, RPC usage, and optional paid API are coherent with the description, but it makes network requests (to RPCs, DexScreener, and a payment facilitator) and exposes queries to third parties — review before using hosted endpoints or paying.
- Guidance
- This skill appears to be what it says: it queries DexScreener and Solana RPC endpoints to analyze holder distributions and detect low-SOL 'insider' wallets. Before using it, consider: (1) privacy: any token CA you analyze and the wallet addresses fetched will be sent to external RPCs and DexScreener; run locally with your own HELIUS_API_KEY if you want less reliance on public nodes. (2) Hosted API / payments: the SKILL.md advertises a hosted, pay-per-request API and the repo contains server code that verifies/settles x402 micropayments — calling that hosted endpoint or running the provided payment CLI (npx awal x402 pay ...) will incur on-chain charges. Inspect PAY_TO_ADDRESS / FACILITATOR_URL if you self-host the server. (3) Code review: the Python code is readable and not obfuscated, but it makes outbound HTTP requests — audit network endpoints if you need strict privacy. If you only need local analysis, run scripts/psdm.py locally and avoid the hosted endpoint to prevent unexpected charges or data exposure.
Review Dimensions
- Purpose & Capability
- okName/description align with the code and instructions: the script queries DexScreener and Solana RPCs to compute top-holder concentration and detect low-SOL 'insider' wallets. HELIUS_API_KEY as a primary credential is appropriate for reliable Solana RPC access.
- Instruction Scope
- noteInstructions direct the agent/user to run the included Python script or call a hosted API. The runtime behavior is focused on the stated purpose, but it does perform network calls to multiple external RPC endpoints and DexScreener, which will reveal the token CA (and the set of holder addresses queried) to those services. The SKILL.md also documents a pay-per-request hosted API and CLI payment flow (npx awal x402), which could result in on-chain payments if invoked.
- Install Mechanism
- okNo installer that downloads arbitrary archives is present — this is instruction/code based and requires only pip dependencies and python3. All referenced installs (pip install -r requirements.txt) are proportionate and use standard PyPI packages.
- Credentials
- noteRequesting a Helius API key is proportional for reliable RPC access. The repository also contains an API server that optionally uses PAY_TO_ADDRESS and FACILITATOR_URL environment variables to require/settle x402 micropayments; those payment-related envs are unrelated to on-chain analysis but are coherent with the hosted-payments feature. No unrelated secrets beyond these are requested.
- Persistence & Privilege
- okThe skill does not request always:true or elevated platform privileges. It does include an optional API server component (for hosting a paid endpoint) but it does not modify other skills or agent-wide configs. Autonomous invocation remains the platform default (unchanged here).