Pump Fun

Security checks across malware telemetry and agentic risk

Overview

This skill is for crypto trading and clearly asks for a Solana private key, but it gives high-impact trade and token-launch authority without enough visible implementation or transaction safeguards.

Review before installing. Use only a dedicated low-balance wallet, never a main wallet. Do not set SOLANA_PRIVATE_KEY unless you can inspect and trust the actual implementation, and manually verify token mint, amount, slippage, fees, and wallet impact before every trade or token launch.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill exposes commands for financially irreversible actions such as selling 100% of holdings and launching tokens, but it does not clearly warn users about irreversible execution, potential total loss, or the consequences of submitting on-chain trades. Because this skill is user-invocable and tied to a live private key, ambiguous or casual use could cause unintended asset loss or unwanted token creation.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal