← 返回 Skills 市场
imthatcarlos

Solana Swaps

作者 imthatcarlos · GitHub ↗ · v0.1.0
cross-platform ⚠ suspicious
2178
总下载
0
收藏
3
当前安装
1
版本数
在 OpenClaw 中安装
/install solana-swaps
功能描述
Swap tokens on Solana via Jupiter aggregator and check wallet balances. Use when user wants to swap tokens, check SOL/token balance, or get swap quotes.
安全使用建议
What to check before installing or enabling this skill: - Missing pieces: SKILL.md references a local Node script (scripts/jupiter-swap.mjs) but the skill bundle contains no code files. Ask the publisher for the missing script or an install spec before trusting/using this skill — without it the instructions are incomplete. - Undeclared API key: The documentation uses JUPITER_API_KEY for authenticated Jupiter requests but the skill metadata does not declare it as a required env var. Confirm where that key is expected to come from and ensure it is stored securely. - High-sensitivity credential: SOLANA_KEYPAIR_PATH points to your wallet keypair file. Any code run with that keypair can sign and submit transactions (i.e., move funds). Only provide that path to code and scripts you have audited and trust. Prefer a limited-purpose hot wallet with minimal funds, a hardware wallet, or signing via a remote signer you control. - Missing audit: Because the skill is instruction-only and references external APIs and a missing script, you should inspect the jupiter-swap.mjs code (or request it) to confirm it does not exfiltrate the keypair file, upload private data, or call unexpected endpoints. - Network calls: The skill interacts with api.jup.ag (expected) but also uses curl and writes /tmp files. Ensure temporary files don't contain private key data and that your environment prevents accidental leakage (e.g., logs). If you cannot obtain and review the missing script and a clear declaration of required env vars, treat this skill as untrusted and avoid supplying your wallet keypair path or API keys.
功能分析
Type: OpenClaw Skill Name: solana-swaps Version: 0.1.0 The skill is designed to perform Solana token swaps, which inherently requires access to the user's private key via `SOLANA_KEYPAIR_PATH` for transaction signing. While the `SKILL.md` file contains strong safety instructions for the AI agent, explicitly forbidding private key exfiltration ('NEVER log, display, or transmit private key contents') and mandating user confirmation for all swaps, a critical component, `scripts/jupiter-swap.mjs`, is invoked with the keypair but its content is not provided for analysis. This unverified component, which directly handles the private key for signing and submitting transactions, introduces a significant blind spot and makes the skill suspicious despite the otherwise robust safety guidelines in `SKILL.md`.
能力评估
Purpose & Capability
The requested binaries (solana, spl-token, curl, jq, node) and the use of Jupiter's API are appropriate for a Solana swap/quote skill. However, the SKILL.md references JUPITER_API_KEY and a local Node script (scripts/jupiter-swap.mjs) that are not declared in the skill metadata and are not present in the package. Requesting node is reasonable only if the script is supplied; without it the runtime instructions are incomplete.
Instruction Scope
Instructions tell the agent to read the wallet keypair (via the solana CLI), call api.jup.ag, write temporary files under /tmp, and run a local Node signing/submission script. The skill explicitly says environment variables (including JUPITER_API_KEY) are preconfigured, but the registry metadata only declares SOLANA_KEYPAIR_PATH. The referenced scripts are not included; that gap either breaks functionality or implies external code will be introduced at runtime — both are red flags. The instructions also rely on automatic access to the user's private key file (via SOLANA_KEYPAIR_PATH), which grants signing ability and must be treated as highly sensitive.
Install Mechanism
This is an instruction-only skill with no install spec, which is lower risk in that nothing is written by an installer. However, running the provided commands requires local CLIs and a Node script that is not packaged; the absence of an install step means the skill assumes the runtime environment already contains compatible tooling and scripts, which increases the chance of breakage or accidental manual copying of missing files from untrusted sources.
Credentials
The skill declares only SOLANA_KEYPAIR_PATH as a required env var in registry metadata, but SKILL.md also depends on JUPITER_API_KEY (used in all API calls) and explicitly claims it is preconfigured. That mismatch is problematic: JUPITER_API_KEY is expected for authenticated Jupiter requests and should be declared. More importantly, SOLANA_KEYPAIR_PATH points to a wallet private key file; providing this gives the skill (and any scripts it runs) the ability to sign and submit transactions — a powerful credential that must be proportionate and only given to trusted code. The SKILL.md's admonition 'NEVER log, display, or transmit private key contents' is good guidance but cannot be enforced.
Persistence & Privilege
The skill does not request always:true and is user-invocable only (normal). It does not declare modifications to other skills or system-wide settings. There is no install step that creates persistent agents or credentials. Autonomous invocation is allowed by default but is not an additional red flag here.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install solana-swaps
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /solana-swaps 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.0
solana-swaps v0.1.0 – Initial release - Swap tokens on Solana using the Jupiter aggregator with safety checks and explicit user confirmation. - Check SOL and SPL token balances, including specific tokens, via straightforward CLI commands. - Pre-configured environment variables for seamless wallet and API integration. - Built-in error handling and retry logic for common issues during swaps. - Detailed documentation, safety guidelines, and step-by-step usage instructions.
元数据
Slug solana-swaps
版本 0.1.0
许可证
累计安装 3
当前安装数 3
历史版本数 1
常见问题

Solana Swaps 是什么?

Swap tokens on Solana via Jupiter aggregator and check wallet balances. Use when user wants to swap tokens, check SOL/token balance, or get swap quotes. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 2178 次。

如何安装 Solana Swaps?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install solana-swaps」即可一键安装,无需额外配置。

Solana Swaps 是免费的吗?

是的,Solana Swaps 完全免费(开源免费),可自由下载、安装和使用。

Solana Swaps 支持哪些平台?

Solana Swaps 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Solana Swaps?

由 imthatcarlos(@imthatcarlos)开发并维护,当前版本 v0.1.0。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论