Deploys and manages Solana validators on mainnet and testnet using Ansible playbooks and Jinja2 templates for multiple validator types including jito, agave,...
Security Analysis
medium confidenceThe skill's documentation claims a large set of Ansible playbooks and templates to deploy Solana validators, but the package only contains documentation and a bootstrap script (no playbooks), and it fails to declare required binaries/config paths (Ansible, SSH keys) — this mismatch warrants caution.
The skill's name/description say it deploys/manages Solana validators using a full ansible/ and jinja/ tree of playbooks and templates. However, the provided package contains only documentation, an example inventory, and scripts/setup.sh — the actual ansible/ playbooks and jinja/ templates referenced throughout SKILL.md and AGENT.md are missing. The skill also does not declare required binaries or config paths (e.g., ansible-playbook, ssh keys) even though they are necessary for its stated purpose.
SKILL.md instructs the agent to run ansible-playbook, to collect server IP, ssh_user, and ssh_key_path, and to download snapshots (aria2c/curl) and interact with local RPC endpoints. Those instructions are reasonable for a validator-deployment skill, but they assume access to SSH private keys and external snapshot/block-engine endpoints. The instructions follow safety rules (confirm before destructive actions, do not log private keys), but the skill's instructions do not make clear where the missing playbooks will come from — leaving the agent with vague guidance to fetch or expect external artifacts.
There is no formal install spec; it's instruction-only plus scripts/setup.sh. setup.sh attempts to install ansible-core via pip or system packages (with sensible fallbacks) and checks for SSH keys. The script itself does not download unknown archives or execute remote code beyond invoking package managers. However, the skill's operation depends on many external binaries and remote resources (Ansible playbooks, Solana/Jito/Firedancer source repos) which are not included.
The skill declares no required environment variables or config paths, yet runtime instructions and examples reference SSH private key paths (~/.ssh/id_rsa), ansible-playbook, and an optional ERPC API key / reference_rpc_url. Requiring SSH key access and potentially API keys is proportional to the task — but these credentials are not declared in metadata. That mismatch means a user might unknowingly provide sensitive credentials to fulfill the skill's flow without clear upfront warning in the registry metadata.
The skill is not set to always:true and does not request persistent elevated privileges in the manifest. setup.sh may install packages using sudo when necessary, which is normal for a local bootstrap script. There is no evidence the skill tries to modify other skills or system-wide agent settings.
Guidance
Do not install or run this skill blindly. Key concerns: (1) The package lists many Ansible playbooks/templates but does not actually include them — ask the publisher or check the upstream repository (ValidatorsDAO/slv) for the full playbook tree before proceeding. (2) The runtime flow requires Ansible, SSH private keys, and optionally API keys; verify how and where those keys will be used, and avoid supplying long-lived private keys to an unverified skill. (3) Inspect the actual Ansible playbooks and Jinja templates (not just the documentation) for any network callbacks, unknown download URLs, or commands that could exfiltrate keys or run arbitrary remote code. (4) If you still want to try it, clone the authoritative GitHub repo yourself, review playbooks locally, run setup.sh in a controlled environment (container/VM), and use ephemeral SSH keys with limited access to test servers. Ask the publisher for the missing playbook files and a trustworthy homepage/source before trusting this skill in production.
Latest Release
v0.10.2
- Removed 103 files primarily from the shared Ansible common (`cmn/`) directory. - Playbooks for package installation, system setup, and utility tasks are no longer included. - The skill now focuses on validator management and deployment playbooks specific to mainnet and testnet. - Documentation updated to remove mention of the deleted common playbooks and related task mapping.
Popular Skills
Published by @POPPIN-FUMI on ClawHub
