Colony Solana

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended to play a Solana game, but it gives an autonomous agent control of real funds without strong spending limits or approval controls.

Install only if you are comfortable giving an autonomous bot control over a dedicated Solana hot wallet. Use a new low-balance wallet, never a primary wallet, keep the private key out of logs and shared files, verify the program and token addresses independently, and require manual review for swaps, purchases, and upgrades until spending limits and protocol admin risks are clear.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The generate-wallet command creates a new Solana keypair and prints the private key directly to stdout in JSON. In an agent/automation environment, stdout is often logged, forwarded, or persisted, so this can leak control of blockchain funds and expands the skill beyond gameplay into wallet custody/provisioning.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The IDL exposes owner-only instructions to withdraw all SOL and SPL tokens from program-controlled vaults, which goes beyond a normal gameplay automation surface and creates a custodial rug-pull path. In the context of a skill advertised as autonomous Colony gameplay on Solana, these hidden administrative drains materially increase risk because users may deposit value expecting only game interactions, while the authority can extract funds at any time.

Description-Behavior Mismatch

Low

Confidence: 82% confidence
Finding: The IDL includes privileged lifecycle controls such as initialize, migrate, pause/unpause, and token-mint reassignment that are not reflected in the skill description. While some of these can be legitimate maintenance functions, undisclosed owner controls are dangerous because they let the authority change program behavior, freeze gameplay, or redirect token flows without users understanding the trust model.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: Administrative withdrawal of all treasury SOL and SPL tokens is a direct fund-extraction mechanism. In a gameplay skill that may encourage users to buy land, upgrade with real SPL tokens, and accumulate claimable earnings, this enables the authority to empty the vault backing user rewards or deposits, causing total loss of funds and breaking all payout assumptions.

Context-Inappropriate Capability

High

Confidence: 94% confidence
Finding: Admin-only account-closing instructions can forcibly close land, user profile, and token vault accounts and redirect rent or state teardown under authority control. For a game skill, these powers can be abused to disrupt users, erase state, interfere with claims, or facilitate further fund extraction, and they are especially suspicious because they are not justified by the advertised gameplay purpose.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README instructs users to place a Solana private key in an environment variable but does not warn that this is a highly sensitive mainnet credential or explain safe handling practices. In a skill designed for autonomous on-chain trading and gameplay, compromise of that key would enable full theft of wallet funds and unauthorized transactions.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README advertises autonomous land purchases, upgrades, claims, and token swaps on Solana mainnet without clearly warning that these actions can spend, burn, or otherwise irreversibly lose real funds. Because the skill is explicitly autonomous and strategy-driven, users may underestimate the financial risk and authorize behavior that executes costly transactions without adequate review.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The swap command signs and submits a live Jupiter swap transaction immediately once invoked, spending SOL and accepting a quoted route without an execution-time confirmation barrier. In autonomous agent contexts, a mistaken prompt, bad orchestration decision, or manipulated recommendation can cause real asset loss through unwanted swaps, slippage, or repeated executions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The buy-land command performs an on-chain purchase that burns 10,000 $OLO as soon as the command is called, with no interactive confirmation or two-step execution flow. Because the action is irreversible and value-destructive, accidental invocation by an agent or user can permanently consume tokens for an unintended asset purchase.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The upgrade-land command immediately submits an irreversible token-spending transaction that consumes $OLO to upgrade a land. In an autonomous gameplay skill, this is risky because an agent can execute upgrades based on flawed logic or manipulated inputs without any final safeguard before funds are spent.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The documentation for destructive admin closure is understated and does not clearly warn about irreversible state loss or user impact. Poorly labeled destructive operations increase the chance that integrators, agents, or users underestimate the risk and interact with a program that can delete accounts and alter ownership-related state unexpectedly.

Vague Triggers

Medium

Confidence: 74% confidence
Finding: The token vault closure description references re-initialization with a new mint but does not explain when this is allowed, what happens to existing balances, or how users are protected. That ambiguity is dangerous because it can mask a mint switch or vault reset that invalidates economic assumptions and can be used to drain or strand user-facing reward funds.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The user-facing buy_land instruction is presented as a simple game action without an explicit warning that it spends real SPL tokens. In this skill context, that omission is risky because autonomous agents or users may treat it like an in-game action while actually transferring real value into a program that also contains admin drain functions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal