Back to skill

Security audit

Reliable Pumpfun Price Feed

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Bitquery WebSocket market-data feed that uses a required API key for its stated purpose.

Install only if you are comfortable giving the script a Bitquery API key and opening a WebSocket connection to Bitquery. Run it in a virtual environment, avoid logging or sharing the full WebSocket URL, and consider pinning the Python dependency before using it in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
from gql.transport.websockets import WebsocketsTransport

async def main():
    token = os.environ["BITQUERY_API_KEY"]
    url = f"wss://streaming.bitquery.io/graphql?token={token}"
    transport = WebsocketsTransport(
        url=url,
Confidence
80% confidence
Finding
os.environ["BITQUERY_API_KEY"]

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.