Add shipyardtools.xyz to whitelist

[shipsintheyard]

Shipyard Tools (shipyardtools.xyz) is a Solana utility suite. Our first tool, Trawler, helps users close empty token accounts to reclaim rent SOL.

• Only uses standard token account close instructions
• No seed phrase requests or risky approvals
• Twitter: @shipsintheyard
• GitHub: github.com/shipsintheyard/shipyard

Summary by CodeRabbit

• Chores
  • Fixed a duplicate list entry and cleaned up formatting in the domain whitelist to ensure entries are correct.
  • Added shipyardtools.xyz to the whitelist and preserved all existing entries.
  • Ensured proper end-of-file newline to improve reliability when the whitelist is read or processed.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

📝 Walkthrough

Walkthrough

Fixed a malformed YAML list entry in the whitelist and added a new domain entry. The nftplus.io line was corrected and shipyardtools.xyz was appended as a new whitelist item.

Changes

Cohort / File(s)	Summary
Whitelist configuration whitelist.yaml	Removed a duplicated/malformed list line for nftplus.io, corrected YAML list formatting, and added a new entry shipyardtools.xyz.

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title directly matches the main change: adding a new domain (shipyardtools.xyz) to the whitelist file.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Fix all issues with AI agents

In @whitelist.yaml:
- Around line 33-34: The entry "shipyardtools.xyz" is quoted while plain domain
entries like nftplus.io and phantom.app are unquoted; remove the unnecessary
quotes around shipyardtools.xyz so it matches the existing style for
non-wildcard domains (leave quoted patterns like "*.web.app" as-is) — update the
string "shipyardtools.xyz" to the unquoted form shipyardtools.xyz to restore
formatting consistency.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between f0e8ff9 and 7493b12.

📒 Files selected for processing (1)

• whitelist.yaml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify the domain is active and check basic info
echo "=== Checking if domain resolves ==="
curl -sI "https://shipyardtools.xyz" | head -10

echo ""
echo "=== Checking GitHub repository existence ==="
gh repo view shipsintheyard/shipyard --json name,description,createdAt,stargazerCount,url,homepageUrl 2>/dev/null || echo "Repository not found or not accessible"

Repository: phantom/blocklist

Length of output: 623

---

🌐 Web query:

shipyardtools.xyz Solana rent reclaim reputation

💡 Result:

I couldn’t find any reputable information, audits, or community discussion about shipyardtools.xyz. Treat it as unverified and potentially unsafe.

If you’re considering using it to reclaim Solana rent, do not connect your main wallet. Quick safety steps:

• Use a throwaway/test wallet (never your main funds).
• Verify domain ownership / WHOIS and search X/Discord/Reddit for reviews.
• Check for audits, GitHub source, and on-chain contract addresses before approving transactions.
• Review any requested permissions and revoke afterward if needed.
• Prefer hardware wallets or Phantom’s built-in warnings; never share seed phrases.

Useful references on dApp safety and wallet hygiene: Phantom security tips; Solana best practices; how to check/revoke approvals. [1][2][3]

Sources:
[1] Phantom — Security tips for Phantom users. (help.phantom.com)
[2] Smithii — Safety practices for Solana (checking URLs, suspicious domains like .xyz, use test wallets). (smithii.io)
[3] SolChekers — Solana security guide (checking permissions, revoke approvals). (solchekers.com)

If you want, I can: (A) search more widely for shipyardtools.xyz (WHOIS, cached pages, social mentions), or (B) walk you through how to create a safe test wallet and check permissions. Which would you prefer?

Citations:

• 1: https://help.phantom.com/hc/en-us/articles/13515761228051-Security-Tips-for-Phantom-users?utm_source=openai
• 2: https://smithii.io/en/best-secure-practices-solana/?utm_source=openai
• 3: https://solchekers.com/wiki/en/security-guide?utm_source=openai

---

🌐 Web query:

"shipyard" solana token account close rent

💡 Result:

Do you mean the Shipyard app/service, or just “how to close SPL token accounts on Solana to recover rent”? Quick answers below — tell me which you want more detail on.

• How to close an SPL token account (CLI): use the SPL Token CLI: spl-token close <TOKEN_ACCOUNT_ADDRESS>. That runs the Token Program CloseAccount instruction and returns the account’s rent-exempt SOL to the destination you specify. Non‑native (regular) token accounts must be empty to be closed; wrapped SOL accounts behave specially. [1][2]

• Wallets / web tools: most wallets (Phantom, Solflare) and reclaim tools scan for empty token accounts and let you close them with a wallet signature; each closed account typically returns ~0.002 SOL (rent-exempt deposit). Be careful to only close accounts with zero token balance and review any third‑party tool’s fees/permissions. [2][3]

• Important notes:

  • You cannot close a token account that still holds tokens (burn or transfer the tokens first). [1]
  • Wrapped SOL token accounts can be closed even when non‑zero (they return SOL differently). [1]
  • Verify any third‑party reclaim site before connecting (scams exist). [2][3]

Sources:
[1] SPL Token (Token Program) docs — rent‑exemption and CloseAccount. (spl.solana.com)
[2] Guides / reclaim tools explaining closing empty token accounts and typical rent reclaimed (~0.002 SOL). (reclaim.mwh.app)

If you meant a specific Shipyard product/service, tell me the exact Shipyard URL or paste what you see and I’ll give tailored steps.

Citations:

• 1: https://spl.solana.com/token?utm_source=openai
• 2: https://reclaim.mwh.app/learn/how-to-close-token-accounts-on-solana?utm_source=openai

---

Block whitelisting of shipyardtools.xyz until the project has established community reputation and transparency.

The domain does resolve (Vercel-hosted), and the GitHub repository exists, but both are brand new: the repo was created today (2026-01-12) with zero stars and no description. Web searches reveal no community discussion, audits, reviews, or reputation for this project. For a crypto wallet whitelist—one of the highest-security contexts—adding a zero-day, unvetted tool with no track record is unacceptable. Require:

• Established GitHub history with multiple commits and activity
• Community reviews, social proof, or audit coverage
• Detailed project documentation and clear on-chain contract addresses
• WHOIS verification of domain ownership against claimed GitHub identity

[shipsintheyard]

Hey, Trawler is a free Solana utility that helps users close empty token accounts to reclaim rent SOL.

What it does:

Scans wallets for empty token accounts (0 balance)
Lets users close them to recover ~0.002 SOL each
Only uses standard closeAccount instructions from SPL Token Program
Security:

No fees, no token approvals, no seed phrases requested
Users sign each transaction in their wallet before anything executes
Fully open source
Links:

Live site: https://shipyardtools.xyz/
Source code: https://github.com/shipsintheyard/shipyard
Twitter: https://twitter.com/ShipsInTheYard
Happy to answer any questions about the implementation.

[coderabbitai]

Actionable comments posted: 1

🤖 Fix all issues with AI agents

In @whitelist.yaml:
- Around line 33-34: Do not approve adding url: shipyardtools.xyz to the
whitelist yet; verify the newness and perform a security review of the Trawler
project (repo shipsintheyard/shipyard and domain shipyardtools.xyz) by checking
repository creation date and domain registration, auditing the tool’s source to
ensure it only issues standard token account close instructions and never
requests seed phrases or dangerous token approvals, and either add a note/flag
in the whitelist YAML marking shipyardtools.xyz as "pending-review" or move it
to a staging whitelist until the above checks are completed.

📜 Review details

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 7493b12 and 22e39fd.

📒 Files selected for processing (1)

• whitelist.yaml

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

# Check if GitHub repository exists and get details
curl -s https://api.github.com/repos/shipsintheyard/shipyard | jq '{name: .name, exists: (.id != null), description: .description, url: .html_url, created_at: .created_at, pushed_at: .pushed_at}' 2>/dev/null || echo "Could not fetch repository"

Repository: phantom/blocklist

Length of output: 260

---

🌐 Web query:

shipyardtools.xyz domain

💡 Result:

Summary: shipyardtools.xyz is an active website hosting "The Shipyard" web tools (the /trawler Solana wallet scanner/recovery tool). The site loads and presents a Solana wallet scanner called "Trawler." [1]

Evidence:

• Live site content (Trawler wallet scanner on shipyardtools.xyz). [1]
• Related public profile for "Shipyard" (Solana ecosystem) on X/Twitter, which appears to be the project's social presence. [2]

If you want WHOIS, DNS, or an IP/hosting provider lookup for this domain, tell me which of those you want and I’ll fetch them.

---

🌐 Web query:

ShipsInTheYard GitHub project

💡 Result:

I couldn't find a GitHub repository named "ShipsInTheYard." Do you have a link, the exact repo owner/name, or any other details (description, language, or files) so I can search again?

---

🌐 Web query:

shipsintheyard shipyard NFT tool

💡 Result:

I couldn't find a tool or project specifically named "ShipsInTheYard" or "Ships in the Yard" related to NFTs. Did you mean one of these instead?

• Ocean Protocol's Shipyard grant/program (not an NFT tool). [1]
• Shipyard — a developer environment/product platform (Shipyard.build). [2]

If you can share a link, screenshot, or more context (blockchain/network, marketplace, or where you saw it), I’ll search deeper.

---

The domain and repository exist, but their recent creation should inform your approval decision.

The YAML formatting fix on line 33 is correct. For line 34's whitelist addition of shipyardtools.xyz:

The domain is active and serves "The Shipyard" Solana wallet scanner (Trawler), and the GitHub repository shipsintheyard/shipyard exists with a public Twitter presence. However, both the repository and likely the domain are brand new—created on January 12, 2026.

While the project appears legitimate based on available evidence, the lack of track record adds risk to adding this domain to a security-sensitive whitelist. Before approval, verify:

1. Security review - Inspect the Trawler tool source code to confirm it only performs standard token account close instructions and does not request seed phrases or risky approvals
2. Domain/repo age context - Assess whether the newness is acceptable for whitelist inclusion, or wait for more project maturity

🤖 Prompt for AI Agents

In @whitelist.yaml around lines 33 - 34, Do not approve adding url:
shipyardtools.xyz to the whitelist yet; verify the newness and perform a
security review of the Trawler project (repo shipsintheyard/shipyard and domain
shipyardtools.xyz) by checking repository creation date and domain registration,
auditing the tool’s source to ensure it only issues standard token account close
instructions and never requests seed phrases or dangerous token approvals, and
either add a note/flag in the whitelist YAML marking shipyardtools.xyz as
"pending-review" or move it to a staging whitelist until the above checks are
completed.