ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Solana Copy Trader

v1.0.0

Solana whale copy trading bot. Track any wallet, copy trades in real-time via Jupiter + Pump.fun APIs, with paper trading simulation and live execution. Use...

0· 662·1 current·1 all-time
by@youthaiagent

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for youthaiagent/solana-copy-trader.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Solana Copy Trader" (youthaiagent/solana-copy-trader) from ClawHub.
Skill page: https://clawhub.ai/youthaiagent/solana-copy-trader
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install youthaiagent/solana-copy-trader

ClawHub CLI

Package manager switcher

npx clawhub@latest install solana-copy-trader
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and SKILL.md implement a Solana copy-trader/sniper/arbitrage bot (Helius, Jupiter, pump.fun, Telegram alerts). Those capabilities match the stated purpose. However the registry metadata claims no required env vars/credentials while the SKILL.md and code clearly require PRIVATE_KEY, HELIUS_API_KEY, BOT_TOKEN, CHAT_ID and RPC_URL — this mismatch is unexpected and reduces trust.
!
Instruction Scope
Runtime instructions and code expect you to provide a .env with PRIVATE_KEY (optional for watch-only but required for live execution), Helius API key, Telegram bot token and chat id, and RPC URLs. The bot connects to multiple external services (Helius RPC, Jupiter quote/swap APIs, Coingecko, solanatracker, pump.fun endpoints, Telegram). That is appropriate for a trading bot, but SKILL.md references a 'solana-bot' directory and a .env.example which are not present in the manifest (files live under scripts/). The instructions also offer a simple switch to turn 'paper' to 'live' — if a private key is added and paper=false the code will sign and send real transactions. Because the agent can be invoked autonomously, this increases the risk of unintended real fund movement if misconfigured.
Install Mechanism
There is no platform install spec; the package expects you to run npm install (package.json present). Dependencies are standard for this domain (@solana/web3.js, @jup-ag/api, axios, dotenv, bs58). This is a moderate-risk install model (pulling from npm) but uses known packages and no external arbitrary downloads. Developers should still audit package.json and node_modules before running with secrets.
!
Credentials
The environment variables the code uses (PRIVATE_KEY, HELIUS_API_KEY, BOT_TOKEN, CHAT_ID, RPC_URL, optional JITO_TIP, MAX_TRADE_SOL, MIN_PROFIT_PCT) are all proportionate for a trading bot. The problem is that the registry metadata lists 'Required env vars: none' and 'Primary credential: none', which is false given the code and SKILL.md. That omission is a significant incoherence: the skill will prompt you to add highly sensitive values (private key) but the registry doesn't declare them.
Persistence & Privilege
always:false (normal). The skill can execute trades when a private key is provided; agent autonomous invocation is allowed by default. This combination is powerful but expected for a trading bot. Users should be careful: granting a skill a private key allows it to sign/send transactions — ensure you only provide a disposable/trading-only wallet and review code before enabling live mode.
What to consider before installing
This package is an actual Solana trading bot and will contact multiple external services (Helius RPC, Jupiter, pump.fun, solanatracker, Coingecko, Telegram). The main red flags are: (1) the registry metadata claims no required env vars while both SKILL.md and the code require PRIVATE_KEY, HELIUS_API_KEY, BOT_TOKEN, CHAT_ID and RPC_URL — that mismatch is suspicious and should be fixed before trusting the package; (2) SKILL.md references a different directory (.env.example, solana-bot) than the manifest (files under scripts/), which suggests the published metadata or instructions were not updated — expect friction and possible runtime errors. Before installing or providing secrets: - Do NOT put your main wallet private key into .env. Use a small, dedicated wallet for testing or hardware/readonly setups. - Run the code in an isolated environment (container/VM) and inspect node_modules before running. - Start in watch or paper modes only (no PRIVATE_KEY or set paper:true). - Verify the Telegram bot and chat IDs are correct and optional. - Ask the publisher to correct registry metadata (declare required env vars and primary credential), include .env.example in the package root, and fix path inconsistencies. If the author can provide a trustworthy source URL, homepage, or VCS repo and update the metadata, re-evaluate; until then treat the package as suspicious.

Like a lobster shell, security has layers — review code before you run it.

botvk97en80kks58rrbc06ek73njsx81e3avcryptovk97en80kks58rrbc06ek73njsx81e3avdefivk97en80kks58rrbc06ek73njsx81e3avjupitervk97en80kks58rrbc06ek73njsx81e3avlatestvk97en80kks58rrbc06ek73njsx81e3avsolanavk97en80kks58rrbc06ek73njsx81e3avtradingvk97en80kks58rrbc06ek73njsx81e3avwhalevk97en80kks58rrbc06ek73njsx81e3av
662downloads
0stars
1versions
Updated 4h ago
v1.0.0
MIT-0
@youthaiagent
botcryptodefijupiterlatestsolanatradingwhale
Download

Solana Copy Trader

Real-time Solana whale copy trader using Helius WebSocket + Jupiter API + Pump.fun.

Quick Start

cd solana-bot
npm install
cp .env.example .env  # fill in keys
node index.js copy    # paper mode (safe)
node index.js watch   # whale tracker only
node index.js scan    # arb scanner

Modes

ModeCommandDescription
copynode index.js copy 0.01Copy whale trades (paper by default)
watchnode index.js watchWatch whale txs live
scannode index.js scanScan arb opportunities
papernode index.js paperFull paper trading sim
analyzenode index.js analyzeWallet pattern analysis
safetynode index.js safety <mint>Token rug check

.env Setup

PRIVATE_KEY=your_base58_private_key   # leave blank for watch-only
RPC_URL=https://mainnet.helius-rpc.com/?api-key=YOUR_KEY
HELIUS_API_KEY=your_helius_key        # free at dev.helius.xyz
BOT_TOKEN=telegram_bot_token          # for alerts
CHAT_ID=your_telegram_chat_id
MAX_TRADE_SOL=0.01                    # safety limit per trade
MIN_PROFIT_PCT=0.5

Architecture

Helius WebSocket → whale tx detected
        ↓
parseTransaction() → decode token changes
        ↓
Jupiter quote → can we route? 
        ↓ (if no route)
Pump.fun DAS check → bonding curve token?
        ↓
safety check → price impact < 50%?
        ↓
paper: log trade | live: executeRealSwap()
        ↓
Telegram alert sent

Key Files

  • src/copy_trade.js — Core copy trader engine
  • src/wallet_tracker.js — Helius WebSocket + tx parsing
  • src/arbitrage.js — Jupiter arb scanner
  • src/pumpfun.js — Pump.fun token metadata via Helius DAS
  • src/sniper.js — New token sniper (paper mode)
  • src/config.js — Wallet + connection setup
  • src/alerts.js — Telegram notifications

Live → Paper Switch

In copy_trade.js startCopyTrader():

paper: true   // paper mode (safe, no real money)
paper: false  // LIVE mode — real trades

Or use index.js mode copy (always paper) vs direct startCopyTrader({ paper: false }).

Safety Limits

  • MAX_TRADE_SOL — max SOL per trade (default 0.01)
  • maxPositions: 3 — max open positions at once
  • priceImpact > 50% → skip (rug protection)
  • Pump safety score < 40 → skip

Whale to Copy

Default whale: AgmLJBMDCqWynYnQiPCuj9ewsNNsBJXyzoUhD9LJzN51

  • Confirmed MEV bot: 477 SOL, 172K txs/day, $40K/day
  • Change in src/copy_trade.jsWHALE constant

Requirements

  • Node.js 18+
  • Free Helius API key (1000 req/day free tier)
  • Solana wallet (optional — watch-only without)
  • Telegram bot (optional — for alerts)

See references/api-setup.md for getting free API keys. See references/trading-concepts.md for how Solana MEV/arb works.

Comments

Loading comments...