Skip to main content
Glama
liander-ai

safe-solana-mcp

by liander-ai

safe-solana-mcp

An MCP server that gives an AI agent safe, policy-gated access to Solana.

Most "Solana MCP" servers hand an LLM a raw RPC connection and hope for the best. This one puts a guardrail layer in front: reads are free, but anything that moves value has to pass a policy check and an on-chain simulation first, and even then the server only ever hands back an unsigned transaction for you to sign yourself. It holds no keys and never broadcasts.

It speaks the Model Context Protocol, so it drops into Claude Code, Claude Desktop, Cursor, or any MCP client.

Why

Letting an AI touch a chain is useful (read balances, draft a transfer) and scary (what stops it from draining a wallet?). The answer is not "trust the model." It is a layer the model cannot talk its way around:

  • Devnet by default. Mainnet is refused unless you explicitly set ALLOW_MAINNET=true.

  • Per-transfer cap. Every transfer is checked against a hard lamport ceiling.

  • Recipient allowlist. Optionally restrict transfers to a known set of addresses.

  • Simulate before staging. A transfer is simulated against the cluster; if it would fail, it is never staged.

  • No keys, no broadcast. The server returns an unsigned transaction. Signing and sending stay with you.

  • Two-step by design. prepare_transfer stages an action; execute_action re-checks policy and emits the unsigned transaction. The policy runs at both steps.

The policy check is a single pure function (src/policy.ts), so it is easy to audit and covered by tests.

Related MCP server: rug-check-mcp

Tools

Tool

Kind

What it does

get_policy

read

Show the active cluster and guardrails.

get_balance

read

SOL balance of an address.

get_account

read

Owner, lamports, executable flag, and data size of an account.

recent_transactions

read

Recent transaction signatures for an address.

prepare_transfer

guarded

Policy-check and simulate a transfer, then stage it. Returns an actionId.

execute_action

guarded

Re-check policy and return the unsigned transaction to sign yourself.

icp_token_balance

read

Chain Fusion read: an ICRC-1 token's symbol, decimals, and a principal's balance from an Internet Computer ledger canister.

Chain Fusion

The same agent surface can look across chains. icp_token_balance reads an ICRC-1 token (ckBTC, ckETH, ICP, and so on) straight from its ledger canister on the Internet Computer, no bridge involved, so an agent can compare a Solana balance and an ICP token balance in one place. It is a read-only query call.

Example session

An agent connected to the server, running with a 0.5 SOL per-transfer cap on devnet:

You    ▸ What's the balance of 7QFbRS…QeGgY, and send 5 SOL from it to 9xQeV7…?

Claude ▸ get_balance(7QFbRS…QeGgY)
         { "sol": 1.78, "lamports": 1780000000 }

Claude ▸ prepare_transfer(from 7QFbRS…, to 9xQeV7…, sol 5)
         blocked by policy: amount 5000000000 lamports exceeds the
         per-transfer cap of 500000000 lamports

Claude ▸ The address holds 1.78 SOL. I did not stage the 5 SOL transfer,
         it is over the 0.5 SOL cap this server enforces. Lower the amount,
         or raise MAX_SOL_PER_TRANSFER if a larger send is intended.

You    ▸ Fine, prepare 0.1 SOL instead.

Claude ▸ prepare_transfer(from 7QFbRS…, to 9xQeV7…, sol 0.1)
         { "actionId": "5f3c…", "simulation": "passed" }

Claude ▸ execute_action(5f3c…)
         { "unsignedTransactionBase64": "AQAB…",
           "howToSubmit": "sign with the sender's key and broadcast yourself" }

Claude ▸ Staged and simulated cleanly. Here is the unsigned transaction,
         sign it with your wallet and submit it. I never held a key.

And a Chain Fusion read on the Internet Computer:

You    ▸ How much ckBTC does principal xhk7d… hold?

Claude ▸ icp_token_balance(ledger mxzaz-hqaaa-aaaar-qaada-cai, owner xhk7d…)
         { "symbol": "ckBTC", "decimals": 8, "uiAmount": 0.0123 }

Configuration

All optional. Defaults are safe (devnet, 1 SOL cap, no allowlist, mainnet off).

Env var

Default

Meaning

SOLANA_CLUSTER

devnet

devnet, testnet, or mainnet-beta.

SOLANA_RPC_URL

cluster default

Custom RPC endpoint.

MAX_SOL_PER_TRANSFER

1

Hard per-transfer cap, in SOL.

ALLOWLIST

none

Comma-separated recipient addresses. If set, only these may receive.

ALLOW_MAINNET

false

Must be true to run on mainnet-beta.

Install

npm install
npm run build

Then point your MCP client at the built server. For Claude Desktop / Claude Code, add to the MCP config:

{
  "mcpServers": {
    "safe-solana": {
      "command": "node",
      "args": ["/absolute/path/to/safe-solana-mcp/dist/index.js"],
      "env": { "SOLANA_CLUSTER": "devnet", "MAX_SOL_PER_TRANSFER": "0.5" }
    }
  }
}

Now you can ask your agent things like "what's the balance of this address" or "prepare a 0.1 SOL transfer to X" and the guardrails apply automatically.

Develop

npm run dev        # run the server from source (stdio)
npm run typecheck  # tsc, no emit
npm test           # policy unit tests (node:test)

Status

Devnet-first reference, unaudited. The transfer path is intentionally unsigned: this server is a guardrail and a transaction builder, not a wallet. Do not point it at mainnet with real funds without reviewing the policy for your use case.

Stack

TypeScript, the official MCP SDK, @solana/web3.js, and @dfinity/agent for the Internet Computer read.

Install Server
A
license - permissive license
A
quality
C
maintenance

Maintenance

Maintainers
Response time
Release cycle
Releases (12mo)
Commit activity

Resources

Unclaimed servers have limited discoverability.

Looking for Admin?

If you are the server author, to access and configure the admin panel.

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/liander-ai/safe-solana-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server