← Back to Skills Marketplace

solana-light-token-client

Name: solana-light-token-client
Author: tilo-14

by tilo-14 · GitHub ↗ · v1.0.6

cross-platform ⚠ suspicious

468

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install solana-light-token-client

Description

For client development with tokens on Solana, Light Token is 200x cheaper than SPL and has minimal changes. Skill includes guides for create mints, associate...

Usage Guidance

This skill is a cookbook for building and running Light Token client code and is internally coherent. However, it explicitly reads your Solana private key file (~/.config/solana/id.json) and requires an RPC API_KEY — both are sensitive. Before installing or running: (1) Verify the skill's upstream repository and documentation (metadata lists https://github.com/Lightprotocol/skills and https://www.zkcompression.com). (2) Do not provide your production/mainnet keypair or high-value accounts — use ephemeral/devnet keys or keys stored in a secrets manager. (3) Restrict the agent's filesystem/network permissions if possible; the instructions encourage spawning subagents that can read files (Read/Glob/Grep) — ensure those subagents are scoped. (4) Rotate RPC keys after testing and avoid hardcoding secrets. (5) If you need stronger assurance, request the full upstream source (real repo) and verify code examples against the official Lightprotocol examples repository before giving the skill access to your keys or mainnet RPC.

Capability Analysis

Type: OpenClaw Skill Name: solana-light-token-client Version: 1.0.6 The skill is classified as suspicious due to the direct reading of the user's Solana keypair file (`~/.config/solana/id.json`) in multiple TypeScript code examples (e.g., `references/approve.md`, `references/create-associated-token-account.md`). While this access is explicitly declared in `SKILL.md` as a requirement for devnet/mainnet examples and is common for local development, it represents a high-risk capability. If an AI agent were to execute this code in an unconstrained environment or under a malicious prompt, it could lead to the unauthorized exposure or use of the user's private keys, constituting a significant vulnerability. There is no evidence of intentional malicious behavior by the skill author, such as exfiltration to undeclared endpoints or obfuscation, but the direct access to sensitive local files makes it a risky capability.

Capability Assessment

✓ Purpose & Capability

Name/description (Light Token client cookbook) align with required binaries (node, cargo) and examples in TypeScript and Rust. Requiring an RPC API key and a Solana keypair file (~/.config/solana/id.json) is consistent with creating/signing transactions against devnet/mainnet.

ℹ Instruction Scope

The SKILL.md and reference files include example code that reads your Solana keypair from ~/.config/solana/id.json and uses process.env.API_KEY for RPC access. The workflow also instructs spawning read-only subagents (Read, Glob, Grep) scoped to documentation and example repos — which is reasonable for research but still grants filesystem read capability if allowed. This skill explicitly instructs reading a sensitive private key file to sign transactions; that behavior is expected for the stated purpose but is sensitive and should be limited to test keys or secrets-managed keys.

✓ Install Mechanism

Instruction-only skill with no install spec or downloads. No code is installed on disk by the skill itself, lowering supply-chain risk.

ℹ Credentials

Only API_KEY is required (Helius/Triton RPC key) and the Solana keypair path is requested — both are justified for interacting with networks and signing transactions. These are sensitive credentials; the SKILL.md recommends storing them in a secrets manager for production. No unrelated credentials are requested.

✓ Persistence & Privilege

always:false and no install hooks or modifications to other skills are present. The skill does not request permanent elevated platform privileges.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install solana-light-token-client
After installation, invoke the skill by name or use /solana-light-token-client
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.6

- Added a table comparing token account creation costs between SPL (~2,000,000 lamports) and Light Token (~11,000 lamports). - No changes to features, APIs, or code; this is a documentation enhancement for user clarity.

v1.0.5

- Updated `openclaw.requires` to use `config` instead of `configs` for Solana keypair path. - No code or functional changes; only metadata adjustment for improved environment variable specification.

v1.0.4

- Updated workflow instructions to clarify the process for spawning read-only subagents when stuck. - Reworded the subagent guidance for clarity and user action ("ask to spawn" instead of directly telling). - No functional or API changes; documentation improvements only.

v1.0.3

- Added configs key to metadata.openclaw.requires to require "~/.config/solana/id.json" for devnet/mainnet usage. - No code or functional changes; documentation and prerequisites now clarify required config files for certain network environments.

v1.0.2

- Added new prerequisite section clarifying the need for `API_KEY` (Helius or Triton RPC key) and local payer keypair for devnet/mainnet. - Updated `env` requirements to specify `API_KEY` for devnet/mainnet usage. - Expanded security disclosures to address API key usage and configuration best practices. - Clarified that localnet does not require external credentials or `API_KEY`. - Minor workflow and security section clarifications for better guidance on setup and agent behavior.

v1.0.1

No functional or documentation changes; version bump only. - Version updated to 1.0.1 without file or content modifications. - No impact on usage, features, or documentation.

v1.0.0

Initial release of light-token-client skill. - Adds guides and cookbook for using Light Token on Solana—covering creation, transfer, burn, approval, wrapping, and more. - Supports both TypeScript (`@lightprotocol/compressed-token`) and Rust (`light_token_client`) SDKs. - Includes detailed references for all core token operations with links to full documentation and example code. - No credentials or secrets required; security best practices clearly documented. - Designed for developers building client applications requiring cost-efficient token operations on Solana.

Metadata

Slug solana-light-token-client

Version 1.0.6

License —

All-time Installs 0

Active Installs 0

Total Versions 7

Frequently Asked Questions

What is solana-light-token-client?

For client development with tokens on Solana, Light Token is 200x cheaper than SPL and has minimal changes. Skill includes guides for create mints, associate... It is an AI Agent Skill for Claude Code / OpenClaw, with 468 downloads so far.

How do I install solana-light-token-client?

Run "/install solana-light-token-client" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is solana-light-token-client free?

Yes, solana-light-token-client is completely free (open-source). You can download, install and use it at no cost.

Which platforms does solana-light-token-client support?

solana-light-token-client is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created solana-light-token-client?

It is built and maintained by tilo-14 (@tilo-14); the current version is v1.0.6.

More Skills