📦 OpenClaw Solana Connect — Solana链交互
v3.0.0为AI智能体打造的Solana区块链安全交互工具包,支持私钥保护、额度上限、预执行模式,一键完成链上查询、签名与交易。
0· 770·0 当前·0 累计
by 下载技能包
最后更新
2026/2/26
安全扫描
OpenClaw
可疑
medium confidenceThe skill largely matches its Solana purpose, but there are multiple coherence and correctness issues around key handling, tests, and documentation that could lead to misuse or runtime failures; review before installing or running with real keys or mainnet funds.
评估建议
This package appears to implement Solana tooling but has several coherence and correctness issues you should address before use:
- Key handling mismatch: generateWallet() returns only a public address, but sendSol() requires a base58 private key. The test suite incorrectly passes an address where a private key is expected — expect runtime failures if you follow tests verbatim.
- Secret management ambiguity: README/ SKILL.md recommend using environment variables for private keys but the skill met...详细分析 ▾
✓ 用途与能力
Name/description (Solana interaction) align with included code and declared npm deps (@solana/web3.js, tweetnacl, bs58). Required env vars (RPC URL and limits) are relevant to the stated purpose.
⚠ 指令范围
SKILL.md and README instruct normal usage (generateWallet, sendSol) but contain ambiguous/mismatched examples. The test suite and some examples call sendSol with the wallet address where a private key is expected, indicating incorrect guidance. The docs advise using environment variables for private keys but do not declare any PRIVATE_KEY env var; the runtime code expects a privateKey parameter to be passed into sendSol/connectWallet. These inconsistencies could cause accidental exposure or misuse of private keys or runtime errors.
✓ 安装机制
No risky download/install URLs. Dependencies are standard npm packages declared in package.json and package-lock.json (official packages like @solana/web3.js, tweetnacl, bs58). SKILL.md also lists the same npm installs. Package sources appear normal.
ℹ 凭证需求
Requested env vars (SOLANA_RPC_URL, MAX_SOL_PER_TX, MAX_TOKENS_PER_TX, HUMAN_CONFIRMATION_THRESHOLD) are appropriate and proportionate. However, documentation recommends storing private keys in env vars but the metadata does not declare any private-key env variable as required; the code expects private keys as function parameters. This mismatch is an operational gap that could lead integrators to store secrets insecurely or to supply keys incorrectly at runtime.
✓ 持久化与权限
No always:true, no system-wide config writes, and no unusual persistence or privilege escalation. The skill is instruction-only with local JS files; it does not request elevated platform privileges.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv3.0.02026/2/15
OpenClaw Solana Connect v3.0 introduces secure transaction support and enhanced configuration: - Adds private key protection—keys are never exposed to the agent. - Enforces configurable per-transaction maximums and requires human confirmation for large transfers. - Supports dry-run mode for safe transaction simulation (default). - Allows real SOL transfers with strict security checks. - Switches to @solana/web3.js for improved blockchain interaction. - Requires additional environment variables for flexible and safe operation.
● 无害
安装命令
点击复制官方npx clawhub@latest install solana-connect
镜像加速npx clawhub@latest install solana-connect --registry https://cn.longxiaskill.com