Pumpfun Agent Integration

Security checks across malware telemetry and agentic risk

Overview

This skill is a payment bot template, but its bundled code takes custody of user crypto funds in a way the skill text says it should not.

Install only if you intend to review and redesign the payment custody model. Do not run this with real user funds as-is; replace the server-held deposit wallets with user-signed wallet flows or add explicit custody disclosures, encrypted key management, audit controls, withdrawal/recovery handling, and dependency updates before production use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (8)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 95% confidence
Finding: A strong description-behavior mismatch is a serious security concern because it can hide materially riskier functionality from reviewers and users. If the underlying template really creates and stores per-user Solana private keys, automatically spends deposited funds, and maintains internal balances while claiming to merely scaffold invoice-verification flows, operators may unknowingly deploy custodial wallet infrastructure with key-management, fund-loss, and abuse risks.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The server maintains its own credit ledger and exposes a spend API, which turns a payment verification scaffold into a custodial value-tracking system. That increases security scope substantially: bugs in balance accounting, replay handling, authorization boundaries, or race conditions could let users obtain or spend credits incorrectly, and the local ledger may diverge from the authoritative on-chain payment state.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The application generates per-user custodial Solana wallets and stores the corresponding private keys, meaning the service takes custody of user funds. This is highly sensitive because compromise of the server or database immediately exposes all user deposit wallets, and the skill description does not indicate that custodial key management is necessary for a simple Pump.fun invoice/payment integration scaffold.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The service provisions per-user deposit wallets and later stores their private keys server-side, giving the operator full control over user-deposited funds. In a payment integration scaffold, this materially changes the trust model from invoice verification to custodial key management, creating theft and breach risk if the database or server is compromised.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: Private key material is serialized to base58 and written directly into SQLite, which is an insecure storage pattern for cryptographic secrets. Any local file disclosure, backup leak, developer access, container escape, or host compromise would reveal wallet keys and permit theft of deposited funds, making this much more dangerous in a payment-handling skill.

Missing User Warnings

Medium

Confidence: 99% confidence
Finding: The application stores per-user deposit wallet secret keys in SQLite as base58 plaintext-equivalent data, which makes compromise of the app host, database file, backups, or logs potentially sufficient to steal all user deposits. Because these wallets are server-controlled and tied to user funding flows, this is a serious custodial-secret handling weakness.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The server signs and submits blockchain transactions using a server-controlled deposit wallet, meaning users must trust the service not to misuse deposited funds and any compromise of the server can immediately lead to unauthorized transactions. In the stated context of payment integration scaffolding, this is more dangerous because it quietly introduces custodial transaction authority rather than simple invoice generation/verification.

Known Vulnerable Dependency: fastify==5.8.2 — 2 advisory(ies): CVE-2026-33806 (Fastify has a Body Schema Validation Bypass via Leading Space in Content-Type He); CVE-2026-3635 (fastify: request.protocol and request.host Spoofable via X-Forwarded-Proto/Host )

High

Category: Supply Chain
Confidence: 97% confidence
Finding: fastify==5.8.2

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal