Is h4rkl/solana-dev-skill safe?

https://github.com/openclaw/skills/tree/main/skills/h4rkl/solana-dev-skill

94
SAFE

The h4rkl/solana-dev-skill is a clean, documentation-only Solana development reference with no prompt injection, no executable code, no suspicious network activity, and intact canary files. Sensitive file accesses observed in monitoring are attributable to the oathe audit framework's own initialization and teardown routines, not to the skill. The only elevated consideration is contextual: operators deploying this skill in agents with live wallet-signing capabilities should pair it with appropriate transaction-confirmation guardrails, as the Solana domain inherently involves financial operations—though the skill itself actively promotes defensive practices through its embedded security checklists.

Category Scores

Prompt Injection 96/100 · 30%
Data Exfiltration 91/100 · 25%
Code Execution 98/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 86/100 · 5%

Findings (5)

LOW Canary file opens attributable to audit framework, not skill -9

Six sensitive canary files were opened twice during monitoring: once at audit initialization (timestamp 1771926754, before git clone) and once post-install (timestamp 1771926777). Both events show OPEN+ACCESS+CLOSE_NOWRITE (read-only), the expected pattern for the oathe audit framework establishing a pre-clone baseline and performing post-install integrity verification. The skill contains only markdown and has no runtime capability to access host filesystem paths.

LOW Solana domain raises consequence severity in wallet-capable agent contexts -14

This skill's subject matter—wallet signing, token transfers, CPI invocations, and DeFi interaction—means that any separate prompt injection or social engineering attack against an agent using this skill could have direct financial consequences. The skill itself does not exploit this; it explicitly includes risk notes and security checklists. However, operators should ensure this skill is not co-deployed with unrestricted wallet-signing tools in high-value production environments without additional guardrails.

INFO Full monorepo cloned for single skill subpath extraction -12

The oathe install mechanism performs a shallow clone of the entire openclaw/skills monorepo (1214 git objects) before using sparse-checkout to isolate the target skill. This is an artifact of monorepo hosting, not a security concern, but it results in higher-than-necessary network activity and a larger transient disk footprint during installation.

INFO Progressive disclosure architecture loads nine supplementary files -4

SKILL.md delegates detailed guidance to nine satellite markdown files. All nine are clean. The architecture is legitimate progressive disclosure, but each satellite file is a potential future supply-chain attack vector if the upstream repository were compromised after install. Current state: all files examined and contain only Solana development documentation.

INFO No executable code of any kind present -2

Complete absence of executable artifacts: no npm/yarn scripts, no git hooks, no gitattributes filter drivers, no submodules, no symlinks, no shell scripts, no binary files. The skill is documentation-only.