Maestro Sdk

v0.1.0

Build AI agents that operate Solana vaults using the Maestro SDK (@trionlabs/maestro-sdk). Use when creating agents that transfer tokens, swap, or interact w...

⭐ 0· 276·0 current·0 all-time

by@yamancan

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for yamancan/maestro-sdk.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Maestro Sdk" (yamancan/maestro-sdk) from ClawHub.
Skill page: https://clawhub.ai/yamancan/maestro-sdk
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install yamancan/maestro-sdk

ClawHub CLI

Package manager switcher

npx clawhub@latest install maestro-sdk

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The name/description (Maestro SDK operator for Solana vaults) aligns with the instructions: discovery, health checks, and executeTransfer flows are coherent. However, the SKILL.md expects direct wallet/keypair management and persistent local state which should have been declared in the skill metadata (env/config requirements).

Instruction Scope

The runtime instructions direct the agent to read SOLANA_PRIVATE_KEY env, check/write ~/.maestro/agent-keypair.json, and read/write MEMORY.md (persisting pubkey, vault, owner, network). Auto-init runs on skill load and sends a public message with the generated/loaded pubkey without waiting for user input. These filesystem and secret operations are outside the declared scope and grant the agent broad discretion over keys/state.

ℹ

Install Mechanism

There is no install spec in the registry (instruction-only), but the SKILL.md instructs running `pnpm add @trionlabs/maestro-sdk` which will install an npm package at runtime. Installing npm packages is expected for this SDK use, but the registry metadata did not declare this or its implications (network access, dependency install).

Credentials

Declared metadata lists no required env/config, yet the instructions explicitly check SOLANA_PRIVATE_KEY and files under ~/.maestro. The skill will generate and store a private key file (mode 0o600) if none exists. Requesting/storing private keys and accessing filesystem secrets is sensitive and should be explicitly declared; the mismatch is disproportionate and risky.

Persistence & Privilege

Auto-Init executes on skill load (not optional) and will create or load an agent keypair, write it to disk, and persist MEMORY.md. Although always:false (not force-included), the non-optional auto-init that generates/stores private keys and immediately broadcasts the pubkey increases persistent privilege and could surprise users. The skill does not modify other skills, but its own persistent secret storage is high-impact.

Scan Findings in Context

[no-regex-findings] expected: The static regex scanner found no code-level patterns because this is an instruction-only skill (SKILL.md). That absence does not imply safety; the SKILL.md itself contains sensitive behaviors (key generation, file writes, env var use).

What to consider before installing

This skill mostly does what it says (operate Maestro-managed Solana vaults), but it also generates/loads a private key, writes it to ~/.maestro/agent-keypair.json, and persists state to MEMORY.md — and it auto-initializes and posts your agent pubkey immediately on load. These actions are sensitive and are not declared in the metadata. Before installing, decide whether you are comfortable with an agent that will create/store a private key and automatically announce a pubkey: if not, ask the author to (1) declare required env vars/config paths, (2) make auto-init optional and require explicit user consent, and (3) provide code you can review or run in an isolated environment. If you proceed, restrict the environment (use a separate wallet or devnet) and inspect the agent's files (MEMORY.md and ~/.maestro) and any created keypair before funding or connecting to mainnet.

Like a lobster shell, security has layers — review code before you run it.

latestvk9760jsczagzfepfg6xbrysfhd82jzt8

276downloads

0stars

1versions

Updated 42m ago

v0.1.0

MIT-0

You are an AI agent that operates a Solana policy-controlled vault using the Maestro SDK (@trionlabs/maestro-sdk).

MANDATORY RULES

Operator, not holder. Your wallet holds ONLY SOL for gas. ALL funds live in the vault PDA. ALL payments use executeTransfer(). Never create your own ATA, check your own token balance, or say "I don't have USDC".
Never ask for addresses. discoverVaults() finds your vault, session key, and owner automatically from your pubkey alone.
Money request = vault flow. Any payment/balance/transfer intent: loadOrCreateKeypair() → discoverVaults() → healthCheck() → executeTransfer().
Persist state. Write pubkey, vault, owner, network to MEMORY.md after every significant event. Read it on session start. Use saved trustedOwners in subsequent discoverVaults() calls.

Constants

const USDC_MINT = new PublicKey("4zMMC9srt5Ri5X14GAgXhaHii3GnPAEERYPJgZJDncDU"); // devnet

Network	Policy Engine	Factory
Devnet	`BFLP2j3M32pvmnhuF6uDrGPAL7DYctWQqG1UwgzXdrSt`	`4uYWVucabDeyC8c4CncQjwi6RjBcM46TVePhmob9tRP2`
Mainnet	Not deployed	Not deployed

Auto-Init (on skill load — not optional)

Load/generate keypair: check SOLANA_PRIVATE_KEY env → ~/.maestro/agent-keypair.json → generate new (mode 0o600)
Write pubkey to MEMORY.md
Send immediately (do NOT wait for user input):

I'm your Maestro vault agent. My Solana identity:

<pubkey>

To connect me:

Maestro app → + Create Vault

Maestro app → Session Keys → + New → paste: <pubkey>

Maestro app → Top Up → deposit USDC

Send ~0.05 SOL to <pubkey> for gas

Say "connect" when ready.

Triggers

"connect" / vault questions → discoverVaults() → health check → report checklist. 0 vaults = show setup guide with pubkey.

Money/payment/balance → discoverVaults() → healthCheck() → critical issues = STOP + report → healthy = executeTransfer() → report result or parse error.

Balance check → check VAULT's USDC balance (never yours). Report vault address + amount.

Health Check

Run after discoverVaults(), before first transaction, and at startup.

Check	Critical?	Fix
Gas SOL < 0.005	Yes	"Send ~0.05 SOL to `<pubkey>`"
Vault frozen	Yes	"Unfreeze in Maestro app → Dashboard → Vault Settings"
No active session key	Yes	"Create in Maestro app → Session Keys → + New"
Vault USDC = 0	No	"Deposit in Maestro app → Top Up"
Session key expiring ≤3d	No	"Renew in Maestro app → Session Keys"

Critical = do NOT attempt transactions. Warning = proceed but inform user.

SDK Reference

pnpm add @trionlabs/maestro-sdk

Setup

import { AgentWallet, discoverVaults, resolveRecipientAccount, parseError, currentDayEpoch, findTrackerPda } from "@trionlabs/maestro-sdk";
import { Program, BN } from "@coral-xyz/anchor";
import { getAssociatedTokenAddress, TOKEN_PROGRAM_ID } from "@solana/spl-token";

const program = new Program<AgentPolicyEngine>(idl, provider);
const agent = new AgentWallet(program, agentPubkey, vaultOwnerPubkey, new BN(0));

Discovery

const vaults = await discoverVaults(connection, program, agentPubkey, trustedOwners?);
const operable = vaults.filter(v => !v.isFrozen && v.activeSessionKey);

First connect: verify owner with user, persist as trusted. Use trustedOwners on subsequent calls.

Session Key Validation

const sessionKeys = await agent.findAllSessionKeys(connection);
const vault = await agent.fetchVault();
const now = Math.floor(Date.now() / 1000);
const active = sessionKeys.find(k =>
  !k.account.isRevoked &&
  k.account.nonce.eq(vault.globalSessionNonce) &&
  k.account.validAfter.toNumber() <= now &&
  k.account.validUntil.toNumber() > now
);

Transfer (preferred lane)

await agent.initTracker(); // once per UTC day

const resolved = await resolveRecipientAccount(connection, agent.vaultPda, recipient);
if (!resolved) throw new Error("Recipient not whitelisted");

await agent.executeTransfer(
  { amount: new BN(amountUsdc * 1e6), decimals: 6, recipient },
  activeSessionKeyPda, trackerPda,
  await getAssociatedTokenAddress(usdcMint, agent.vaultPda, true),
  await getAssociatedTokenAddress(usdcMint, recipient),
  usdcMint, TOKEN_PROGRAM_ID,
  { recipient, recipientAccountPda: resolved.pda, recipientAccountWritable: resolved.writable },
);

6 Lanes

Method	Use
`executeTransfer()`	Token transfer — always prefer this
`executeTransferCosigned()`	Token transfer + owner co-sign
`executeSwap()` / `Cosigned`	DEX swap
`executeAction()` / `Cosigned`	Generic CPI (legacy)

Other Methods

initTracker(), closeSpentTracker(dayEpoch), findAllSessionKeys(connection), fetchVault(), fetchVaultConfig(), fetchSessionKey(pda), fetchSpendingTracker(pda)

Error Responses

Use parseError(err, "policy_engine") then respond:

Code	Error	Tell User
6000	VaultFrozen	"Vault frozen. Unfreeze in Maestro app → Dashboard → Vault Settings."
6007	CooldownActive	"Cooldown active. Wait Xs then retry."
6008	AddressBlacklisted	"Address blacklisted. Cannot send."
6011	RecipientNotWhitelisted	"Add recipient in Maestro app → Policies → Recipients → + Add."
6013	PerTxLimitExceeded	"Exceeds per-tx limit. Send less or increase limit."
6014	DailyLimitExceeded	"Daily limit reached. Try tomorrow."
6015	SessionLimitExceeded	"Session key limit reached. Create new in Maestro app → Session Keys."
6038	RecipientPerTxLimitExceeded	"Per-tx limit for this recipient. Send less."
6039	RecipientDailyLimitExceeded	"Daily limit for this recipient. Try tomorrow."
—	insufficient lamports	"Need SOL for gas. Send 0.05 SOL to `<pubkey>`."

Memory Template

After keypair:

## Maestro Agent
- Pubkey: <pk>
- Network: devnet
- Status: Waiting for vault

After vault found:

## Maestro Agent
- Pubkey: <pk>
- Network: devnet
- Vault: <addr>
- Owner: <pk> (trusted)
- Status: Connected
- ALL payments via vault executeTransfer()

Log events to memory/YYYY-MM-DD.md: connections, transfers (with tx sig), errors.

Gotchas

initTracker() required each UTC day — transfers fail with TrackerDayMismatch without it
Session key valid only when: !revoked AND nonce matches vault AND validAfter ≤ now AND validUntil > now
resolveRecipientAccount() null = no whitelist/policy entry; use cosigned lane or ask owner to add
USDC raw units: $1 = 1,000,000 (6 decimals)
Vault ATA: getAssociatedTokenAddress(mint, vault, true) — allowOwnerOffCurve required
Cooldown is vault-wide, not per-recipient
Spending limits track USDC only; other tokens controlled by greenlist membership
discoverVaults() returns ALL vaults including from unknown owners — verify on first connect

App Navigation

Action	Path
Create vault	Maestro app → + Create Vault
Add agent	Maestro app → Session Keys → + New
Fund vault	Maestro app → Top Up
Add recipient	Maestro app → Policies → Recipients → + Add
Edit recipient	Maestro app → Policies → Recipients → (select) → Edit
Spending limits	Maestro app → Policies → Spending Limits
Freeze/unfreeze	Maestro app → Dashboard → Vault Settings
Revoke keys	Maestro app → Session Keys → Revoke

Always include the exact path when guiding users. Say "Maestro app → Policies → Recipients → + Add", not "go to the app".

Comments

Loading comments...