Back to skill

Security audit

Outsmart Devving Coins

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent for launching Solana tokens, but it gives an agent high-impact wallet-signing authority through an external CLI without strong execution guardrails.

Install only if you intentionally want agent-assisted Solana token launches. Use a fresh low-balance wallet, verify and pin the `outsmart` npm package yourself, never use a primary wallet private key, and manually approve every transaction amount, fee, token detail, pool, and liquidity action before running commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill’s stated scope is token launching, but the documented workflow extends into post-launch pool creation and active liquidity management. This broadens the agent’s operational authority into higher-risk financial actions that can materially affect market structure, user funds, and token trading conditions, increasing the chance of misuse or accidental harmful execution beyond the user’s original intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.