Back to skill
Skillv1.0.0
ClawScan security
wallet-pnl · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 9:06 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required credential (HELIUS_API_KEY) are coherent with its stated purpose of analyzing Solana wallet swap history.
- Guidance
- This skill appears to do what it claims: it needs a Helius API key to fetch Solana swap data and will compute PnL locally or via the included API server. Before installing or running: 1) Provide only a Helius API key (no other secrets required). 2) If you use the hosted/paid API, note the $0.03/request facilitator flow — the server will call an external FACILITATOR_URL and may require configuring PAY_TO. 3) If self-hosting, run pip install in an isolated environment (venv/container) and review the PAY_TO/FACILITATOR_URL env vars to avoid unexpected payments. 4) The registry metadata has a minor inconsistency around homepage/source; consider verifying the upstream GitHub repo and reviewing the code yourself if you need stronger assurance.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (python3), and primaryEnv (HELIUS_API_KEY) align with the implementation: scripts/pnl.py fetches transactions and RPC data from Helius/Solana to compute PnL and win rates. Minor metadata inconsistency: registry 'Homepage: none' at top vs. clawhub.json/README pointing to a GitHub repo.
- Instruction Scope
- okSKILL.md instructs running the bundled Python code or using the provided HTTP endpoint. The instructions and code only request transaction data (Helius API and Solana RPC) and do not read unrelated local files or environment variables. The API server optionally integrates a payment facilitator for a paid endpoint, which results in outbound requests to the configured FACILITATOR_URL.
- Install Mechanism
- okNo automated install script in the registry; the skill is instruction-first and includes source files. Self-hosting instructions use pip with a small set of common Python dependencies (fastapi, uvicorn, requests, aiofiles). No high-risk remote download or obscure install URLs are present.
- Credentials
- okOnly HELIUS_API_KEY is declared as required (primaryEnv). That is appropriate for fetching parsed transaction history and Solana RPC access. Optional env vars in the server (PAY_TO, FACILITATOR_URL, PRICE_PER_REQUEST) relate to the documented paid API and are justified by that functionality.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges. Hosting the included server is optional and confined to its own process; the skill does not modify other skills or agent configuration.