Helius API

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for read-only Solana lookups through Helius, with normal API-key and third-party privacy considerations.

Install only if you want your agent to query Helius for Solana data. Use a limited or easily rotated Helius API key, prefer header-based authentication over URL query strings, expect API credits to be consumed, and avoid querying wallets or transactions you do not want associated with your Helius account.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill explicitly directs use of a third-party API for wallet balances, history, transfers, and identity lookups but does not disclose that wallet addresses and transaction-related data will be sent to Helius. Even though blockchain addresses are often public, submitting user-supplied addresses, queried histories, and analysis targets to an external provider can create privacy, tracking, and data-governance risks.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The example code places the API key in the query string, which is commonly logged by browsers, proxies, servers, observability tools, and shared via copy/paste or referrer leakage. Even though this is documentation, users are likely to copy the pattern directly, making accidental credential exposure realistic in normal use.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal