Back to skill

Security audit

Openpump Solana Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Solana trading integration, but it can move real funds, run automated trading, launch tokens, and use broad wallet authority with incomplete consent and credential-safety guardrails.

Install only if you intentionally want an agent connected to live Solana trading and wallet operations. Use a dedicated low-balance account, pin or independently verify the MCP package before use, keep the API key out of prompts/logs/shared files, require explicit confirmation for every trade, transfer, launch, bundle, snipe, and market-making action, and avoid standing automation unless you fully accept the loss and irreversibility risks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file presents the agent as recommendation-only and user-supervised, but later instructions operationalize direct execution workflows that undermine that safety model. In a financial trading skill with real wallet and transfer capabilities, this inconsistency can cause the agent to act beyond the user's intended authorization boundary.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
This section clearly states that the agent must wait for explicit user approval before executing buys, sells, or transfers, yet later workflow steps direct the agent to call trading tools directly. That contradiction is dangerous because an LLM may follow the procedural steps over the policy statement, leading to unauthorized financial transactions and asset loss.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill’s invocation description is extremely broad, covering nearly any pump.fun or related Solana trading request, including high-risk actions like transfers, token launches, sniping, market making, spam launches, and custodial wallet management. Overly broad matching can cause the agent to select this skill in ambiguous contexts and expose powerful financial operations when the user only intended to ask for information, increasing the chance of unintended or unsafe execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises high-risk financial operations including token launches, trading, transfers, sniping, market making, and spam launches, but provides no explicit warning that these actions can move funds, incur fees, or cause irreversible on-chain effects. In an agent-tooling context, that omission materially increases the chance of unsafe user use or accidental invocation of destructive blockchain actions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document instructs users to configure a live API key and notes outbound connections to third-party services, but does not warn that credentials and wallet-related requests will be sent off-host to external infrastructure. This can lead to users exposing sensitive operational data without understanding retention, access, or compromise risks associated with the service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The trade workflow includes direct buy and sell actions as part of the normal sequence without a required pause for renewed user consent. In a custodial or wallet-managing trading context, procedural instructions like these can be followed literally by an agent, resulting in unintended or unauthorized trading activity.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documentation explicitly states that all tools communicate using the user's `OPENPUMP_API_KEY`, but it does not warn users not to paste, expose, log, or transmit that credential in prompts, tool arguments, screenshots, or shared workspaces. In a high-risk skill that performs financial and custodial wallet operations, omission of credential-handling guidance increases the chance of API key leakage and subsequent unauthorized trading, wallet actions, or account abuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.