This is a short, explicit security posture for Moltwallet.
- Generates a wallet (ed25519)
- Reads balances via Solana RPC
- Buys tokens (Pump/Jupiter path)
- Sends SPL tokens + SOL
- Private keys are generated locally and written to
./wallets/<PUBKEY>.json. - Keys are never sent to any external service by Moltwallet.
- CLI avoids passing private keys via command-line flags (shell history leaks).
- You are responsible for storing
wallets/safely and keeping it private.
Moltwallet only makes outbound requests to:
- The configured Solana RPC endpoint
- Public swap endpoints used by the buy flow (e.g., Jupiter) when buying tokens
It does not:
- Send private keys to any server
- Call home / telemetry endpoints
- Upload wallet files
- Wallets are stored in
./wallets/and gitignored. - If you run Moltwallet in a shared folder, move wallets elsewhere.
Moltwallet intentionally uses only:
@solana/web3.js@solana/spl-token
- Not a custody service
- Not a trading bot with custody
- Not a black box: it’s open source
- Read the code before running
- Use a private RPC if possible
- Keep wallets offline when not in use
- Run on a trusted machine