← 返回 Skills 市场
Solana Connect
作者
Seenfinity
· GitHub ↗
· v3.0.0
802
总下载
0
收藏
0
当前安装
12
版本数
在 OpenClaw 中安装
/install solana-connect
功能描述
OpenClaw Solana Connect — Secure toolkit for AI agents to interact with Solana blockchain. Features private key protection, max limits, dry-run mode, and hum...
安全使用建议
This package appears to implement Solana tooling but has several coherence and correctness issues you should address before use:
- Key handling mismatch: generateWallet() returns only a public address, but sendSol() requires a base58 private key. The test suite incorrectly passes an address where a private key is expected — expect runtime failures if you follow tests verbatim.
- Secret management ambiguity: README/ SKILL.md recommend using environment variables for private keys but the skill metadata does not declare a private-key env var; the code expects private keys as parameters. Decide on a secure secret flow (platform secret store, not plaintext env vars) and update docs and metadata.
- Human confirmation & mainnet safety: the code enforces dry-run and thresholds, but warnings about mainnet are printed only; double-check enforcement logic before sending real funds (and never run on mainnet with real keys until audited).
- Minor correctness issues: simulation code tries to reference transaction.signature (which may be undefined), and keypair/seed handling (fromSeed slicing) is brittle and may not match common wallet secret formats. These are bugs that could cause failed or malformed transactions.
Recommendations:
1) Do not supply real private keys to this skill until the above are fixed and you understand how the key material is used.
2) Require the maintainer to fix the test/example usage and clarify how keys should be passed securely (prefer platform secret storage or explicit private-key env var declared in metadata).
3) Audit the signing and serialization logic (tweetnacl usage, signature attachment, simulation fields) before any mainnet use.
4) If you lack the ability to review/fix the code, treat this as untrusted and run only in isolated test environments (no real funds).
功能分析
Type: OpenClaw Skill
Name: solana-connect
Version: 3.0.0
The OpenClaw Solana Connect skill bundle is designed with a strong emphasis on security, explicitly implementing features like private key protection (keys are never exposed to the agent, only used internally for signing), transaction limits, dry-run mode by default, and a human confirmation threshold for large transactions. All dependencies listed in `package.json` and `package-lock.json` are standard and legitimate for Solana development. The `SKILL.md` and `README.md` files provide clear, security-conscious instructions and documentation without any evidence of prompt injection or malicious intent. The `scripts/solana.js` code consistently enforces these security measures, making it a well-behaved and safe toolkit for AI agents to interact with the Solana blockchain.
能力评估
Purpose & Capability
Name/description (Solana interaction) align with included code and declared npm deps (@solana/web3.js, tweetnacl, bs58). Required env vars (RPC URL and limits) are relevant to the stated purpose.
Instruction Scope
SKILL.md and README instruct normal usage (generateWallet, sendSol) but contain ambiguous/mismatched examples. The test suite and some examples call sendSol with the wallet address where a private key is expected, indicating incorrect guidance. The docs advise using environment variables for private keys but do not declare any PRIVATE_KEY env var; the runtime code expects a privateKey parameter to be passed into sendSol/connectWallet. These inconsistencies could cause accidental exposure or misuse of private keys or runtime errors.
Install Mechanism
No risky download/install URLs. Dependencies are standard npm packages declared in package.json and package-lock.json (official packages like @solana/web3.js, tweetnacl, bs58). SKILL.md also lists the same npm installs. Package sources appear normal.
Credentials
Requested env vars (SOLANA_RPC_URL, MAX_SOL_PER_TX, MAX_TOKENS_PER_TX, HUMAN_CONFIRMATION_THRESHOLD) are appropriate and proportionate. However, documentation recommends storing private keys in env vars but the metadata does not declare any private-key env variable as required; the code expects private keys as function parameters. This mismatch is an operational gap that could lead integrators to store secrets insecurely or to supply keys incorrectly at runtime.
Persistence & Privilege
No always:true, no system-wide config writes, and no unusual persistence or privilege escalation. The skill is instruction-only with local JS files; it does not request elevated platform privileges.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install solana-connect - 安装完成后,直接呼叫该 Skill 的名称或使用
/solana-connect触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.0.0
OpenClaw Solana Connect v3.0 introduces secure transaction support and enhanced configuration:
- Adds private key protection—keys are never exposed to the agent.
- Enforces configurable per-transaction maximums and requires human confirmation for large transfers.
- Supports dry-run mode for safe transaction simulation (default).
- Allows real SOL transfers with strict security checks.
- Switches to @solana/web3.js for improved blockchain interaction.
- Requires additional environment variables for flexible and safe operation.
v2.0.8
- Dependency versions updated in package.json and package-lock.json.
- No functional or API changes to the toolkit.
- Documentation and usage remain unchanged.
v2.0.7
- Added clarification about dependencies in documentation, explaining use of crypto libraries for wallet generation only.
- Fixed typo in the example Solana RPC endpoint (mainnet-beta.solana.com).
- No functional or API changes; documentation updates only.
v2.0.6
- Switched to a fully read-only toolkit: signing and transaction-sending are now removed.
- Security model improved — private key handling and transaction permissions are gone.
- Simplified environment requirements: only `SOLANA_RPC_URL` is needed.
- Documentation now clarifies supported (read-only) functionality and lists required npm packages.
- All write operations (real token transfers, sol transfers, signing) are disabled or simulated only.
v2.0.5
- SKILL.md greatly simplified: intro, installation, function details, and warning sections remain, but much metadata and onboarding info were removed.
- Outdated status notes and SDK install instructions were dropped.
- The skill's current capabilities and function documentation are kept; developer and agent guidelines remain.
- Resource list and licensing info updated at the end of the document.
v2.0.4
- Adds a clear summary that Solana Connect v2.0 is now read-only: signing and write operations are not implemented yet.
- Removes "AGENT_PRIVATE_KEY" from required environment variables in the metadata.
- Warns users that "write operations are simulation only" and discourages use with real funds.
- Updates documentation to match the toolkit's current read-only development status.
v2.0.3
- Added "AGENT_PRIVATE_KEY" to the list of required environment variables in the skill metadata.
- No other user-facing changes.
v2.0.2
**OpenClaw Solana Connect 2.0.2 — Enhanced Security Release**
- Private key protection: keys are never exposed to the agent; all signing is handled internally.
- Updated requirements: added `MAX_SOL_PER_TX` and `MAX_TOKENS_PER_TX` environment variables for transaction safety.
- Installation now requires `bs58` for encoding, and `tweetnacl` is clarified as used for secure key handling.
- Documentation streamlined to emphasize new security features and improved environment safety.
v2.0.1
- Improved test coverage and documentation in README.md.
- Internal script and test updates for stability.
- No breaking API changes.
v2.0.0
**Major update: Migrated to Solana SDK v2 and updated wallet handling.**
- Upgraded core dependency to `@solana/kit` (Solana SDK v2), replacing `@solana/web3.js`.
- Switched wallet generation and management to use `tweetnacl` instead of `@solana/spl-token`.
- Updated install steps and environment requirements to reflect dependency changes.
- Refactored scripts and tests to support the new SDK and wallet approach.
- Updated documentation throughout to match the new architecture and API usage.
v1.4.0
Security improvements: Added dry-run mode, amount limits, testnet warnings, and security best practices documentation
v1.0.0
Initial release - Toolkit for OpenClaw agents to interact with Solana blockchain
元数据
常见问题
Solana Connect 是什么?
OpenClaw Solana Connect — Secure toolkit for AI agents to interact with Solana blockchain. Features private key protection, max limits, dry-run mode, and hum... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 802 次。
如何安装 Solana Connect?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install solana-connect」即可一键安装,无需额外配置。
Solana Connect 是免费的吗?
是的,Solana Connect 完全免费(开源免费),可自由下载、安装和使用。
Solana Connect 支持哪些平台?
Solana Connect 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Solana Connect?
由 Seenfinity(@seenfinity)开发并维护,当前版本 v3.0.0。
推荐 Skills