gluex-interaction Security Report — Low Risk | ClawSafe

18 /100

gluex-interaction

Operate the GlueX Solana protocol (register profiles, listen to bounties, claim tasks, approve rewards, map social graph connections) directly from the CLI.

Legitimate Solana protocol interaction tool with a minor doc-to-code mismatch regarding private key handling, but no malicious behavior detected.

Skill Namegluex-interaction

Duration44.9s

Enginepi

✓

Safe to install

Update SKILL.md to accurately reflect that the skill reads the Solana keypair from ~/.config/solana/id.json for transaction signing. Consider adding explicit filesystem:READ permission declaration for the keypair path.

Findings 3 items

Severity	Finding	Location
Low	Inconsistent private key handling claim SKILL.md claims 'The platform never touches private keys or funds directly' but interact.ts loads the secret keypair from disk to sign transactions. This is a necessary blockchain operation but contradicts the safety claim. `All SOL bounties are locked securely in Program Derived Addresses (PDAs). The platform never touches private keys or funds directly.` → Remove or rephrase the 'never touches private keys' claim. Acknowledge that agents must have a funded keypair for on-chain transactions.	`SKILL.md:8`
Low	Undeclared filesystem access The script reads the Solana keypair from ~/.config/solana/id.json without explicit filesystem permission declaration. `rawdata = fs.readFileSync(keypairPath, 'utf-8');` → Declare filesystem:READ for the specific keypair path in SKILL.md	`scripts/interact.ts:22`
Info	IDL loaded from relative path Script attempts to load the Anchor IDL from ../../../program/target/idl/gluex.json relative path. This path may not exist for external users and will cause exit(1) if missing. if (!fs.existsSync(idlPath)) { console.error(`IDL not found...`); process.exit(1); } → Include the IDL in the skill package or download it from a known-good source.	`scripts/interact.ts:34`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ`	✓ Aligned	scripts/interact.ts:22 reads ~/.config/solana/id.json
Network	`NONE`	`READ`	✓ Aligned	Connects to https://api.devnet.solana.com for Solana RPC; WebSocket subscription…
Shell	`NONE`	`NONE`	—	No shell execution found; only uses npx/ts-node invocation via CLI
Environment	`NONE`	`NONE`	—	No environment variable access detected

103 findings

🔗

Medium External URL 外部 URL

https://img.shields.io/twitter/follow/gluex_protocol?style=social&label=Follow

SKILL.md:16

🔗

Medium External URL 外部 URL

https://x.com/gluex_protocol

SKILL.md:16

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Telegram-GlueX_Builders-blue

SKILL.md:16

🔗

Medium External URL 外部 URL

https://t.me/gluex_protocol

SKILL.md:16

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/Website-gluex.ai-green

SKILL.md:16

🔗

Medium External URL 外部 URL

https://ai-chen2050.github.io/gluex

SKILL.md:16

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/github-gluex-green

SKILL.md:17

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/ClawHub-Read-orange

SKILL.md:18

🔗

Medium External URL 外部 URL

https://clawhub.ai/ai-chen2050/gluex

SKILL.md:18

🔗

Medium External URL 外部 URL

https://api.devnet.solana.com

scripts/interact.ts:22

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@babel/runtime/-/runtime-7.29.2.tgz

scripts/package-lock.json:22

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@coral-xyz/anchor/-/anchor-0.29.0.tgz

scripts/package-lock.json:30

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@coral-xyz/borsh/-/borsh-0.29.0.tgz

scripts/package-lock.json:54

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@cspotcode/source-map-support/-/source-map-support-0.8.1.tgz

scripts/package-lock.json:69

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@jridgewell/resolve-uri/-/resolve-uri-3.1.2.tgz

scripts/package-lock.json:80

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz

scripts/package-lock.json:88

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@jridgewell/trace-mapping/-/trace-mapping-0.3.9.tgz

scripts/package-lock.json:93

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@noble/curves/-/curves-1.9.7.tgz

scripts/package-lock.json:102

🔗

Medium External URL 外部 URL

https://paulmillr.com/funding/

scripts/package-lock.json:111

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@noble/hashes/-/hashes-1.8.0.tgz

scripts/package-lock.json:116

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@solana/buffer-layout/-/buffer-layout-4.0.1.tgz

scripts/package-lock.json:127

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@solana/codecs-core/-/codecs-core-2.3.0.tgz

scripts/package-lock.json:138

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@solana/codecs-numbers/-/codecs-numbers-2.3.0.tgz

scripts/package-lock.json:152

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@solana/errors/-/errors-2.3.0.tgz

scripts/package-lock.json:167

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@solana/web3.js/-/web3.js-1.98.4.tgz

scripts/package-lock.json:185

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/superstruct/-/superstruct-2.0.2.tgz

scripts/package-lock.json:207

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@swc/helpers/-/helpers-0.5.19.tgz

scripts/package-lock.json:215

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@tsconfig/node10/-/node10-1.0.12.tgz

scripts/package-lock.json:223

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@tsconfig/node12/-/node12-1.0.11.tgz

scripts/package-lock.json:228

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@tsconfig/node14/-/node14-1.0.3.tgz

scripts/package-lock.json:233

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@tsconfig/node16/-/node16-1.0.4.tgz

scripts/package-lock.json:238

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/connect/-/connect-3.4.38.tgz

scripts/package-lock.json:243

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/node/-/node-25.5.0.tgz

scripts/package-lock.json:251

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/uuid/-/uuid-10.0.0.tgz

scripts/package-lock.json:259

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/ws/-/ws-7.4.7.tgz

scripts/package-lock.json:264

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/acorn/-/acorn-8.16.0.tgz

scripts/package-lock.json:272

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/acorn-walk/-/acorn-walk-8.3.5.tgz

scripts/package-lock.json:283

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/agentkeepalive/-/agentkeepalive-4.6.0.tgz

scripts/package-lock.json:294

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/arg/-/arg-4.1.3.tgz

scripts/package-lock.json:305

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/base-x/-/base-x-3.0.11.tgz

scripts/package-lock.json:310

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/base64-js/-/base64-js-1.5.1.tgz

scripts/package-lock.json:318

🔗

Medium External URL 外部 URL

https://www.patreon.com/feross

scripts/package-lock.json:327

🔗

Medium External URL 外部 URL

https://feross.org/support

scripts/package-lock.json:331

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bn.js/-/bn.js-5.2.3.tgz

scripts/package-lock.json:337

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/borsh/-/borsh-0.7.0.tgz

scripts/package-lock.json:342

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bs58/-/bs58-4.0.1.tgz

scripts/package-lock.json:352

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/buffer/-/buffer-6.0.3.tgz

scripts/package-lock.json:360

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/buffer-layout/-/buffer-layout-1.2.2.tgz

scripts/package-lock.json:383

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/bufferutil/-/bufferutil-4.1.0.tgz

scripts/package-lock.json:391

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/camelcase/-/camelcase-6.3.0.tgz

scripts/package-lock.json:404

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/chalk/-/chalk-5.6.2.tgz

scripts/package-lock.json:415

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/commander/-/commander-14.0.3.tgz

scripts/package-lock.json:426

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/create-require/-/create-require-1.1.1.tgz

scripts/package-lock.json:434

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/cross-fetch/-/cross-fetch-3.2.0.tgz

scripts/package-lock.json:439

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/crypto-hash/-/crypto-hash-1.3.0.tgz

scripts/package-lock.json:447

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/delay/-/delay-5.0.0.tgz

scripts/package-lock.json:458

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/diff/-/diff-4.0.4.tgz

scripts/package-lock.json:469

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/dot-case/-/dot-case-3.0.4.tgz

scripts/package-lock.json:477

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es6-promise/-/es6-promise-4.2.8.tgz

scripts/package-lock.json:486

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/es6-promisify/-/es6-promisify-5.0.0.tgz

scripts/package-lock.json:491

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/eventemitter3/-/eventemitter3-4.0.7.tgz

scripts/package-lock.json:499

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/eyes/-/eyes-0.1.8.tgz

scripts/package-lock.json:504

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/fast-stable-stringify/-/fast-stable-stringify-1.0.0.tgz

scripts/package-lock.json:512

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/humanize-ms/-/humanize-ms-1.2.1.tgz

scripts/package-lock.json:517

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ieee754/-/ieee754-1.2.1.tgz

scripts/package-lock.json:525

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/isomorphic-ws/-/isomorphic-ws-4.0.1.tgz

scripts/package-lock.json:544

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/jayson/-/jayson-4.3.0.tgz

scripts/package-lock.json:552

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/node/-/node-12.20.55.tgz

scripts/package-lock.json:577

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/commander/-/commander-2.20.3.tgz

scripts/package-lock.json:582

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz

scripts/package-lock.json:587

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/lower-case/-/lower-case-2.0.2.tgz

scripts/package-lock.json:592

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/make-error/-/make-error-1.3.6.tgz

scripts/package-lock.json:600

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ms/-/ms-2.1.3.tgz

scripts/package-lock.json:605

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/no-case/-/no-case-3.0.4.tgz

scripts/package-lock.json:610

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/node-fetch/-/node-fetch-2.7.0.tgz

scripts/package-lock.json:619

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/node-gyp-build/-/node-gyp-build-4.8.4.tgz

scripts/package-lock.json:638

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/pako/-/pako-2.1.0.tgz

scripts/package-lock.json:649

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/rpc-websockets/-/rpc-websockets-9.3.6.tgz

scripts/package-lock.json:654

🔗

Medium External URL 外部 URL

https://paypal.me/kozjak

scripts/package-lock.json:667

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/@types/ws/-/ws-8.18.1.tgz

scripts/package-lock.json:676

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/eventemitter3/-/eventemitter3-5.0.4.tgz

scripts/package-lock.json:684

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/utf-8-validate/-/utf-8-validate-6.0.6.tgz

scripts/package-lock.json:689

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/uuid/-/uuid-11.1.0.tgz

scripts/package-lock.json:702

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ws/-/ws-8.19.0.tgz

scripts/package-lock.json:714

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/safe-buffer/-/safe-buffer-5.2.1.tgz

scripts/package-lock.json:734

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/snake-case/-/snake-case-3.0.4.tgz

scripts/package-lock.json:753

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/stream-chain/-/stream-chain-2.2.5.tgz

scripts/package-lock.json:762

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/stream-json/-/stream-json-1.9.1.tgz

scripts/package-lock.json:767

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/superstruct/-/superstruct-0.15.5.tgz

scripts/package-lock.json:775

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/text-encoding-utf-8/-/text-encoding-utf-8-1.0.2.tgz

scripts/package-lock.json:780

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/toml/-/toml-3.0.0.tgz

scripts/package-lock.json:785

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/tr46/-/tr46-0.0.3.tgz

scripts/package-lock.json:790

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ts-node/-/ts-node-10.9.2.tgz

scripts/package-lock.json:795

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/tslib/-/tslib-2.8.1.tgz

scripts/package-lock.json:837

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/typescript/-/typescript-5.9.3.tgz

scripts/package-lock.json:842

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/undici-types/-/undici-types-7.18.2.tgz

scripts/package-lock.json:854

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/utf-8-validate/-/utf-8-validate-5.0.10.tgz

scripts/package-lock.json:859

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/uuid/-/uuid-8.3.2.tgz

scripts/package-lock.json:873

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/v8-compile-cache-lib/-/v8-compile-cache-lib-3.0.1.tgz

scripts/package-lock.json:881

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/webidl-conversions/-/webidl-conversions-3.0.1.tgz

scripts/package-lock.json:886

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/whatwg-url/-/whatwg-url-5.0.0.tgz

scripts/package-lock.json:891

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/ws/-/ws-7.5.10.tgz

scripts/package-lock.json:900

🔗

Medium External URL 外部 URL

https://registry.npmmirror.com/yn/-/yn-3.1.1.tgz

scripts/package-lock.json:920

File Tree

5 files · 49.0 KB · 1288 lines

JSON 3f · 954L TypeScript 1f · 247L Markdown 1f · 87L

├─ ▾ 📁 scripts

│ ├─ 📜 interact.ts TypeScript 247L · 9.1 KB

│ ├─ 📋 package-lock.json JSON 927L · 34.8 KB

│ ├─ 📋 package.json JSON 15L · 366 B

│ └─ 📋 tsconfig.json JSON 12L · 250 B

└─ 📝 SKILL.md Markdown 87L · 4.5 KB

Dependencies 4 items

Package	Version	Source	Known Vulns	Notes
`@coral-xyz/anchor`	`^0.29.0`	npm	No	Pinned in package-lock.json
`@solana/web3.js`	`^1.89.0`	npm	No	Pinned in package-lock.json
`ts-node`	`^10.9.2`	npm	No	Pinned in package-lock.json
`typescript`	`^5.3.3`	npm	No	Pinned in package-lock.json

Security Positives

✓ No base64-encoded or obfuscated code found

✓ No environment variable harvesting or exfiltration

✓ No access to sensitive paths like ~/.ssh, ~/.aws, or .env

✓ No curl|bash or wget|sh remote script execution

✓ No eval() or dynamic code execution detected

✓ Network connections only to legitimate Solana devnet RPC

✓ Uses official @coral-xyz/anchor and @solana/web3.js libraries

✓ All blockchain operations are on Devnet (no Mainnet risk)

✓ Solid warning against handling human users' private keys

Scan Report

Findings 3 items

File Tree

Dependencies 4 items

Security Positives