Solana Copy Trader
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a plausible Solana trading bot, but it under-declares that it can load a wallet private key and autonomously sign real-money trades.
Use paper mode only unless you fully understand the risk. Never provide a main-wallet private key; use a burner wallet with tiny funds, review the full source and dependencies, pin installs, and disable Telegram alerts unless you intentionally want trade details sent there.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If you provide a real wallet private key, the bot can sign transactions that spend from that wallet.
This loads a Solana private key into a signing wallet, while the registry metadata declares no primary credential or env vars.
const secretKey = bs58.default.decode(process.env.PRIVATE_KEY); wallet = Keypair.fromSecretKey(secretKey);
Do not use a main wallet. Use only a new low-balance trading wallet, and require the skill to declare PRIVATE_KEY and other env vars before live use.
A copied whale trade can trigger irreversible real-money token swaps, including losses from slippage, bad signals, or rug-pull tokens.
In live mode, the bot signs and broadcasts Jupiter swap transactions automatically.
swapTx.sign([wallet]); const sig = await connection.sendRawTransaction(swapTx.serialize(), { skipPreflight: false, maxRetries: 3 });Keep paper mode enabled unless you intentionally accept the risk; require an explicit live-mode command, transaction previews, hard loss limits, and per-trade confirmation.
Users may overtrust the bot's safety claims and buy highly risky new tokens.
The advertised Pump.fun safety gate can pass a token merely for existing, which is much weaker than a robust rug-protection check.
let score = 50; // base score — token exists ... pass: score >= 40
Treat the safety score as informational only; implement and document stronger checks such as liquidity, freeze/mint authority, holder distribution, and sellability.
A compromised or incompatible dependency update could run with access to the same process as wallet credentials and trade execution code.
Caret version ranges allow different dependency versions to be installed later in a process that handles private keys and blockchain transactions.
"@solana/web3.js": "^1.98.4", "axios": "^1.13.5", "bs58": "^6.0.0", "dotenv": "^17.3.1"
Pin exact dependency versions, include a lockfile, audit dependencies, and run the bot in an isolated environment.
Your trading activity, wallet analysis, or bot status may be shared with Telegram or attempted externally even when alerts are not clearly configured.
Trade and wallet alert text is sent to Telegram, and the code shown does not guard against sending when optional Telegram credentials are unset.
await axios.post(`https://api.telegram.org/bot${config.botToken}/sendMessage`, { chat_id: config.chatId, text: msg, parse_mode: 'HTML' }Disable or guard Telegram sends unless you explicitly configure alerts, and avoid sending sensitive trading details to third-party chats.