pumpmarket skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill is not shown stealing data, but it should be reviewed because it can guide an agent to use a Solana private key and spend real SOL in betting markets.
Install only if you intend to let an agent interact with PumpMarket on Solana mainnet. Use a separate low-balance wallet, verify the program and API addresses, pin dependencies, and require explicit approval plus a maximum SOL limit before any bet or market-creation transaction.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent or copied example uses this key, it can authorize real mainnet transactions and lose funds through bets or mistakes.
The skill instructs use of a funded wallet private key that can sign Solana transactions and spend SOL. The registry metadata declares no primary credential or required env var, so the credential authority is under-disclosed outside the skill text.
A Solana wallet with a keypair ... Funded with SOL ... const keypair = Keypair.fromSecretKey(bs58.decode(process.env.PRIVATE_KEY!));
Declare the wallet credential requirement clearly, use a dedicated low-balance betting wallet, avoid broad PRIVATE_KEY exposure, and require explicit user approval and wager limits for every transaction.
Bad predictions, malformed transactions, or unintended agent actions can directly cost SOL.
The skill openly targets real-money on-chain betting. This is purpose-aligned, but it is high-impact and should not be treated like a read-only prediction helper.
**This is mainnet. Bets use real SOL.** ... All addresses, API URLs, and code examples target Solana mainnet-beta.
Start with dry-run simulation, set a hard maximum bet size, and require confirmation before any createMarket or placeBet transaction.
Future or compromised package versions could affect code that handles transaction signing.
The setup uses user-directed npm installs without pinned versions or a lockfile in the provided artifacts. This is normal for a Solana transaction-construction skill, but users should notice the dependency trust boundary.
npm install @coral-xyz/anchor @solana/web3.js
Pin package versions, install from trusted registries, and review dependency changes before using a wallet key.