Solana Wallet Rpc
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a purpose-aligned Solana wallet helper, but it handles local private keys and can submit a deposit transaction if explicitly invoked.
Install only if you want an agent to operate a Solana wallet. Prefer a new devnet-only keypair, explicitly set the keypair path and RPC network, protect the generated keypair file, and never allow mainnet use or --execute deposits unless you have reviewed and approved the exact transaction details.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If pointed at a real funded wallet, the agent can use that wallet for signing and supported wallet operations.
The skill clearly discloses that it handles Solana private key material, which gives signing authority over the corresponding wallet.
This skill creates and uses local Solana private key files. Treat all generated or configured keypair files as secrets.
Use a dedicated devnet keypair by default, set SOLANA_WALLET_KEYPAIR explicitly, and avoid using a mainnet or funded wallet unless you intentionally want the agent to have that authority.
A deposit transaction can move USDC to the RockPaperClaw program when the execute flag is used.
The code includes a fund-moving RockPaperClaw deposit path, but it requires an explicit keypair and the documented workflow defaults to preview unless --execute is supplied.
throw new Error('Fund-moving commands require an explicit keypair via --keypair or SOLANA_WALLET_KEYPAIR');Review the preview output, verify the program ID, mint, amount, and wallet address, and only allow --execute after explicit user approval.
Dependency updates from npm could affect wallet behavior or security over time.
The skill relies on npm packages with semver range specifiers; these dependencies are purpose-aligned, but installs may resolve to newer package versions.
"dependencies": { "@solana/spl-token": "^0.4.13", "@solana/web3.js": "^1.98.4", "bs58": "^6.0.0", "tweetnacl": "^1.0.3" }Install only from the skill directory, consider using a lockfile or reviewed dependency versions, and keep the dependency set limited to the documented packages.