Solana Payments
PassAudited by ClawScan on May 1, 2026.
Overview
This instruction-only skill is aligned with creating Solana USDC checkout URLs, but users should verify recurring-payment settings, public metadata, and the external SDK package before use.
This skill appears purpose-aligned and instruction-only. Before installing or using it, verify the Tributary SDK package, pin a trusted version, and carefully check every generated payment URL for the correct recipient, amount, frequency, auto-renew behavior, and metadata. Do not put personal or sensitive customer information in tracking IDs or on-chain memos.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken amount, recipient, frequency, or auto-renew setting could produce a payment link that asks customers to approve the wrong recurring payment.
The documented checkout session can create recurring subscription-payment URLs, including an example with auto-renew enabled and an unlimited-renewal default.
autoRenew: true ... mr: Maximum renewals (default: "null" = unlimited)
Before sharing or using a checkout URL, explicitly confirm the recipient public key, amount, billing frequency, auto-renew setting, maximum renewals, success URL, and cancel URL.
Users who follow the setup may add a third-party package to their project; package provenance and version changes affect security.
The instruction-only skill directs users to install an external npm SDK, while the registry provides no install spec or pinned package version.
npm install @tributary-so/sdk
Install the SDK only from the trusted npm source, pin an expected version, and review the package documentation or lockfile before production use.
Customer IDs, plan names, or other metadata placed in tracking IDs or memos may become visible in public blockchain transaction history.
The documentation encourages per-user tracking identifiers and notes that memo data is stored on-chain, which can make identifiers persistent and publicly visible after payment.
Tracking IDs should be unique per user/subscription combination ... memo: "Monthly premium subscription - user_123" ... This memo is stored in the transaction MEMO field on-chain
Avoid putting personal data, internal account IDs, or sensitive business details in tracking IDs or memos; use opaque, non-identifying references where possible.