Back to skill

Security audit

The Flip Publish

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Solana devnet game, but it needs review because it reads wallet keypairs and can sign value-moving or admin transactions with incomplete warnings.

Install only if you are comfortable using a dedicated devnet-only Solana wallet. Treat any keypair file as private, do not point this at a mainnet or valuable wallet, review transactions before running enter/claim/withdraw-fees/close-game-v1, and verify the Solana installer source before using the curl-piped command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill presents the game as a simple winner-takes-all jackpot, but the referenced behavior includes a 1% operator fee, authority-controlled fee withdrawal, and an authority-only close function. That mismatch is security-relevant because users may commit funds under incomplete assumptions about who can extract value or exercise control over game state, undermining informed consent and trust in the on-chain system.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The description says a 14/14 winner takes the entire jackpot, but the state includes `operator_pool` and the program provides `withdraw_fees`, meaning some funds are diverted away from winners. This is dangerous because it materially misrepresents payout economics and can cause users to enter under false financial expectations.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The description says a 14/14 winner takes the entire jackpot, but the state includes `operator_pool` and the program provides `withdraw_fees`, meaning some funds are diverted away from winners. This is dangerous because it materially misrepresents payout economics and can cause users to enter under false financial expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to run a command with a local Solana keypair path (`~/.config/solana/id.json`) that can sign transactions and transfer funds, but it does not explicitly warn that this uses a real wallet credential and may spend USDC or SOL for fees. In an agent/automation context, this can cause users or systems to invoke a state-changing transaction with a privileged local key without fully understanding the financial effect.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The documented `withdraw-fees` operator command performs a funds-withdrawal action but is presented like a normal operational command without an explicit warning about its financial effect. This increases the risk of accidental invocation by operators, scripts, or agents that may not distinguish read-only commands from irreversible value-moving actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The command examples encourage users to enter the game and optionally pass a local wallet file, but they do not clearly warn that this spends wallet funds and requires signing with a private-key-backed local wallet. In an agent skill context, omission of that warning increases the risk of users authorizing transactions they do not fully understand, especially if automation executes commands on their behalf.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup instructions tell users to install Solana tooling and generate a local keypair, but they do not warn that the resulting wallet file is sensitive secret material. Even on devnet, normalizing unsafe key handling can lead users to store or reuse wallet files insecurely, and the same habits can later expose mainnet funds.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The manifest/instruction docs describe entry and payout flows that move USDC, but they do not prominently warn users about financial loss, token transfer authorization, or gambling risk. In a skill that can cause real asset movement, insufficient disclosure increases the chance of uninformed or accidental participation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"demo": "node app/demo.mjs"
  },
  "dependencies": {
    "@coral-xyz/anchor": "^0.30.1",
    "@solana/spl-token": "^0.4.14",
    "@solana/web3.js": "^1.98.4"
  },
Confidence
95% confidence
Finding
"@coral-xyz/anchor": "^0.30.1"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@coral-xyz/anchor": "^0.30.1",
    "@solana/spl-token": "^0.4.14",
    "@solana/web3.js": "^1.98.4"
  },
  "devDependencies": {
Confidence
95% confidence
Finding
"@solana/spl-token": "^0.4.14"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@coral-xyz/anchor": "^0.30.1",
    "@solana/spl-token": "^0.4.14",
    "@solana/web3.js": "^1.98.4"
  },
  "devDependencies": {
    "@types/chai": "^4.3.0",
Confidence
95% confidence
Finding
"@solana/web3.js": "^1.98.4"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@solana/web3.js": "^1.98.4"
  },
  "devDependencies": {
    "@types/chai": "^4.3.0",
    "@types/mocha": "^10.0.0",
    "chai": "^4.3.0",
    "ts-mocha": "^10.0.0",
Confidence
88% confidence
Finding
"@types/chai": "^4.3.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "devDependencies": {
    "@types/chai": "^4.3.0",
    "@types/mocha": "^10.0.0",
    "chai": "^4.3.0",
    "ts-mocha": "^10.0.0",
    "typescript": "^5.0.0"
Confidence
88% confidence
Finding
"@types/mocha": "^10.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"devDependencies": {
    "@types/chai": "^4.3.0",
    "@types/mocha": "^10.0.0",
    "chai": "^4.3.0",
    "ts-mocha": "^10.0.0",
    "typescript": "^5.0.0"
  }
Confidence
88% confidence
Finding
"chai": "^4.3.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@types/chai": "^4.3.0",
    "@types/mocha": "^10.0.0",
    "chai": "^4.3.0",
    "ts-mocha": "^10.0.0",
    "typescript": "^5.0.0"
  }
}
Confidence
88% confidence
Finding
"ts-mocha": "^10.0.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
"@types/mocha": "^10.0.0",
    "chai": "^4.3.0",
    "ts-mocha": "^10.0.0",
    "typescript": "^5.0.0"
  }
}
Confidence
88% confidence
Finding
"typescript": "^5.0.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
app/demo.mjs:43

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
app/demo.mjs:43