Skill Trust Decision

safe-flow-solana-skill

Name: safe-flow-solana-skill Trust Review Report
Item: safe-flow-solana-skill
Rating: 58
Author: ClawSafe

SafeFlow Solana skill has undeclared shell execution and missing referenced files, with a doc-to-code mismatch that obscures actual implementation complexity.

Install decision first Source: Manual upload Scanned: Apr 3, 2026

Files 4

Artifacts 2

Violations 0

Findings 5

Most direct threat evidence

High Doc Mismatch

Undocumented shell command execution

SKILL.md declares no shell:WRITE but scripts execute solana-keygen (bootstrap.sh:40) and npx ts-node (execute_payment.sh:36). This is significant shell access not disclosed to users.

scripts/bootstrap.sh:40

Why this conclusion was reached

1/4 dimensions flagged

Pass

Declared vs actual capability

Declared resources and inferred behavior are broadly aligned.

Review

Hidden execution and egress

2 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 0 attack-chain steps and 3 severe findings.

Review

Dependencies and supply chain hygiene

5 dependency or supply-chain issues need attention.

What drove the risk score up

Undeclared shell execution +15

SKILL.md does not document use of solana-keygen, npx, ts-node, or node executables

Missing referenced files +12

execute_payment.sh references sdk/src/agent and target/idl/safeflow_solana.json which do not exist in the skill package

Undeclared Node.js runtime +8

SKILL.md declares no dependencies; save_config.sh and execute_payment.sh require Node.js with specific packages

Network access not documented +7

SKILL.md does not list network:READ or mention Solana API endpoints (devnet/mainnet)

Most important evidence

High Doc Mismatch

Undocumented shell command execution

SKILL.md declares no shell:WRITE but scripts execute solana-keygen (bootstrap.sh:40) and npx ts-node (execute_payment.sh:36). This is significant shell access not disclosed to users.

scripts/bootstrap.sh:40

Document all shell commands in SKILL.md under ## Required Tools or ## Declared Capabilities

High Doc Mismatch

Missing referenced implementation files

execute_payment.sh lines 39 and 41 reference target/idl/safeflow_solana.json and ./sdk/src/agent. Neither file exists in the package. This means the script cannot function as written.

scripts/execute_payment.sh:39

Either include these files in the skill package or update SKILL.md to explain these are external dependencies that must be provided separately

High Doc Mismatch

Undeclared Node.js runtime dependency

save_config.sh and execute_payment.sh require Node.js with packages @solana/web3.js and @coral-xyz/anchor. SKILL.md declares no dependencies, no runtime requirements, and no package manager (npm/pnpm).

scripts/save_config.sh:24

Add a ## Dependencies section to SKILL.md listing Node.js version, npm packages, and any external CLI tools

Medium Doc Mismatch

Undeclared network endpoints

SKILL.md does not mention network:READ capability or the Solana API endpoints (api.devnet.solana.com, api.mainnet-beta.solana.com) that execute_payment.sh connects to.

scripts/execute_payment.sh:44

Add ## Network Access section to SKILL.md listing all external API endpoints

Low Supply Chain

Unpinned npx/ts-node execution

execute_payment.sh uses 'npx ts-node' without version pinning, which could execute different versions over time. The SKILL.md also does not declare this tool requirement.

scripts/execute_payment.sh:36

Pin ts-node version in package.json and document the requirement in SKILL.md

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred WRITE

bootstrap.sh:35 writes .safeflow/config.json

Shell Pass

Declared NONE

→

Inferred WRITE

bootstrap.sh:40 executes solana-keygen; execute_payment.sh:36 executes npx ts-node

Network Pass

Declared NONE

→

Inferred READ

execute_payment.sh:44-46 connects to api.devnet.solana.com

Environment Pass

Declared NONE

→

Inferred NONE

No environment variable access detected

Suspicious artifacts and egress

Medium External URL

https://api.devnet.solana.com

scripts/execute_payment.sh:44

Medium External URL

https://api.mainnet-beta.solana.com

scripts/execute_payment.sh:46

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
npx	`*`	npm	No	Not pinned, not declared in SKILL.md
ts-node	`*`	npm	No	Not pinned, not declared in SKILL.md
@solana/web3.js	`*`	npm	No	Not declared in SKILL.md, loaded at runtime
@coral-xyz/anchor	`*`	npm	No	Not declared in SKILL.md, loaded at runtime
solana-keygen	`*`	cli	No	External Solana CLI tool, not declared in SKILL.md

File composition

4 files · 264 lines

Shell 3 files · 193 linesMarkdown 1 files · 71 lines

Files of concern · 3

scripts/execute_payment.sh Shell · 91 lines

Missing referenced implementation files · Undeclared network endpoints · Unpinned npx/ts-node execution · https://api.devnet.solana.com · https://api.mainnet-beta.solana.com

scripts/bootstrap.sh Shell · 64 lines

Undocumented shell command execution

scripts/save_config.sh Shell · 38 lines

Undeclared Node.js runtime dependency

Other files · SKILL.md

Security positives

No credential harvesting or sensitive data exfiltration detected

No base64-encoded obfuscation or anti-analysis techniques found

No reverse shell, C2, or reverse connection behavior

No hidden instructions in comments or documentation

No attempts to access ~/.ssh, ~/.aws, or .env files

Payment logic appears to be legitimate Solana on-chain rate limiting

No evidence of persistence mechanisms (cron, startup hooks, backdoors)