Back to skill

Security audit

Solana Dev Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Solana development reference skill with one confirmed unsafe-code documentation issue users should review before copying examples.

Safe to install as a Solana development reference, but do not blindly copy the Pinocchio zero-copy pointer-cast example; verify unsafe Rust preconditions or prefer field-by-field parsing. Review any generated wallet, signing, payment, or mainnet-facing code carefully before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation explicitly presents `Ok(unsafe { &*(data.as_ptr() as *const Self) })` as a "Safe Pattern," but this cast is only sound if the input buffer is properly aligned for `Self`. Solana account data is a byte slice and does not inherently guarantee alignment for arbitrary Rust structs, so consumers following this guidance can trigger undefined behavior, memory corruption, or non-deterministic program failures in on-chain code.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.