safe-solana-mcp

safe-solana-mcp

An MCP server providing policy-gated Solana access for AI agents, with read-only operations and guarded transfers that require policy checks and simulation, returning unsigned transactions.

Category
Visit Server

README

safe-solana-mcp

An MCP server that gives an AI agent safe, policy-gated access to Solana.

Most "Solana MCP" servers hand an LLM a raw RPC connection and hope for the best. This one puts a guardrail layer in front: reads are free, but anything that moves value has to pass a policy check and an on-chain simulation first, and even then the server only ever hands back an unsigned transaction for you to sign yourself. It holds no keys and never broadcasts.

It speaks the Model Context Protocol, so it drops into Claude Code, Claude Desktop, Cursor, or any MCP client.

Why

Letting an AI touch a chain is useful (read balances, draft a transfer) and scary (what stops it from draining a wallet?). The answer is not "trust the model." It is a layer the model cannot talk its way around:

  • Devnet by default. Mainnet is refused unless you explicitly set ALLOW_MAINNET=true.
  • Per-transfer cap. Every transfer is checked against a hard lamport ceiling.
  • Recipient allowlist. Optionally restrict transfers to a known set of addresses.
  • Simulate before staging. A transfer is simulated against the cluster; if it would fail, it is never staged.
  • No keys, no broadcast. The server returns an unsigned transaction. Signing and sending stay with you.
  • Two-step by design. prepare_transfer stages an action; execute_action re-checks policy and emits the unsigned transaction. The policy runs at both steps.

The policy check is a single pure function (src/policy.ts), so it is easy to audit and covered by tests.

Tools

Tool Kind What it does
get_policy read Show the active cluster and guardrails.
get_balance read SOL balance of an address.
get_account read Owner, lamports, executable flag, and data size of an account.
recent_transactions read Recent transaction signatures for an address.
prepare_transfer guarded Policy-check and simulate a transfer, then stage it. Returns an actionId.
execute_action guarded Re-check policy and return the unsigned transaction to sign yourself.
icp_token_balance read Chain Fusion read: an ICRC-1 token's symbol, decimals, and a principal's balance from an Internet Computer ledger canister.

Chain Fusion

The same agent surface can look across chains. icp_token_balance reads an ICRC-1 token (ckBTC, ckETH, ICP, and so on) straight from its ledger canister on the Internet Computer, no bridge involved, so an agent can compare a Solana balance and an ICP token balance in one place. It is a read-only query call.

Example session

An agent connected to the server, running with a 0.5 SOL per-transfer cap on devnet:

You    ▸ What's the balance of 7QFbRS…QeGgY, and send 5 SOL from it to 9xQeV7…?

Claude ▸ get_balance(7QFbRS…QeGgY)
         { "sol": 1.78, "lamports": 1780000000 }

Claude ▸ prepare_transfer(from 7QFbRS…, to 9xQeV7…, sol 5)
         blocked by policy: amount 5000000000 lamports exceeds the
         per-transfer cap of 500000000 lamports

Claude ▸ The address holds 1.78 SOL. I did not stage the 5 SOL transfer,
         it is over the 0.5 SOL cap this server enforces. Lower the amount,
         or raise MAX_SOL_PER_TRANSFER if a larger send is intended.

You    ▸ Fine, prepare 0.1 SOL instead.

Claude ▸ prepare_transfer(from 7QFbRS…, to 9xQeV7…, sol 0.1)
         { "actionId": "5f3c…", "simulation": "passed" }

Claude ▸ execute_action(5f3c…)
         { "unsignedTransactionBase64": "AQAB…",
           "howToSubmit": "sign with the sender's key and broadcast yourself" }

Claude ▸ Staged and simulated cleanly. Here is the unsigned transaction,
         sign it with your wallet and submit it. I never held a key.

And a Chain Fusion read on the Internet Computer:

You    ▸ How much ckBTC does principal xhk7d… hold?

Claude ▸ icp_token_balance(ledger mxzaz-hqaaa-aaaar-qaada-cai, owner xhk7d…)
         { "symbol": "ckBTC", "decimals": 8, "uiAmount": 0.0123 }

Configuration

All optional. Defaults are safe (devnet, 1 SOL cap, no allowlist, mainnet off).

Env var Default Meaning
SOLANA_CLUSTER devnet devnet, testnet, or mainnet-beta.
SOLANA_RPC_URL cluster default Custom RPC endpoint.
MAX_SOL_PER_TRANSFER 1 Hard per-transfer cap, in SOL.
ALLOWLIST none Comma-separated recipient addresses. If set, only these may receive.
ALLOW_MAINNET false Must be true to run on mainnet-beta.

Install

npm install
npm run build

Then point your MCP client at the built server. For Claude Desktop / Claude Code, add to the MCP config:

{
  "mcpServers": {
    "safe-solana": {
      "command": "node",
      "args": ["/absolute/path/to/safe-solana-mcp/dist/index.js"],
      "env": { "SOLANA_CLUSTER": "devnet", "MAX_SOL_PER_TRANSFER": "0.5" }
    }
  }
}

Now you can ask your agent things like "what's the balance of this address" or "prepare a 0.1 SOL transfer to X" and the guardrails apply automatically.

Develop

npm run dev        # run the server from source (stdio)
npm run typecheck  # tsc, no emit
npm test           # policy unit tests (node:test)

Status

Devnet-first reference, unaudited. The transfer path is intentionally unsigned: this server is a guardrail and a transaction builder, not a wallet. Do not point it at mainnet with real funds without reviewing the policy for your use case.

Stack

TypeScript, the official MCP SDK, @solana/web3.js, and @dfinity/agent for the Internet Computer read.

More demos

More at github.com/liander-ai.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured