ClawHub

Solana Easy Swap

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Solana swap tool that can move real funds, so it is high-impact but coherent with its stated purpose.

Install only if you are comfortable giving this skill signing access to the wallet at SOLANA_KEYPAIR_PATH. Use a dedicated low-balance wallet, verify token mints, amount, minimum received, slippage, price impact, and destination before confirming, and remember that Jupiter and RPC providers can see swap metadata.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill allows `--destination` to override where swap proceeds are sent, and only gates it behind an `--allowThirdParty` flag. In a chat-driven trading skill, this creates a direct asset-redirection primitive: if an agent or prompt layer injects those arguments, the signed transaction can legitimately deliver tokens to an attacker-controlled account with no onchain recovery.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script loads a signing keypair from `SOLANA_KEYPAIR_PATH` and uses it to authorize swaps, but there is no user-facing disclosure at the point of use that a local private key will be accessed. In an agent skill context, this can cause users to invoke real-money transactions without understanding that the skill has direct signing authority over funds.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The skill sends wallet and trade details, including the user's public key and swap parameters, to Jupiter's external API to obtain a quote and prebuilt transaction, without explicit disclosure. That exposes transactional intent and delegates transaction construction to a third party, which is especially sensitive in a financial agent where users may assume all processing is local.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The `execute` path signs the prepared transaction with the local keypair and immediately broadcasts it to mainnet. In a chat-triggered swap skill, broadcasting a real asset transfer without an explicit final warning or human confirmation materially increases the risk of unintended trades, prompt-injected execution, or loss from stale/malicious prepared transactions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal