ClawHub
Skill flagged — review recommended

ClawHub Security found sensitive or high-impact capabilities. Review the scan results before using.

Pump MCP Server

Model Context Protocol server exposing 7 tools, 3 resource types, and 3 prompts for AI agent consumption — Solana wallet operations, vanity address generation, message signing, and address validation over stdio transport.

Audits

Suspicious
ClawScanSuspicious

Agentic behavior and permission review.

Static analysisPass

Pattern checks against bundled files.

VirusTotalPass

Multi-engine malware detections and file reputation.

Install

openclaw skills install pump-mcp-server

MCP Server — Model Context Protocol for Solana Wallet Operations

Model Context Protocol server exposing tools, resources, and prompts for AI agent consumption over stdio transport with session keypair management.

Architecture

AI Agent (Claude, etc.)
        │
    stdio transport
        │
   SolanaWalletMCPServer
        │
   ┌────┼────────┬──────────┐
   │    │        │          │
  Tools Resources Prompts  Session
   │    │        │        State
   7    3        3         │
  tools types   prompts  Keypair

Tools (7)

ToolDescription
generate_keypairGenerate a new random Solana keypair
generate_vanityGenerate vanity address with prefix/suffix
estimate_vanity_timeEstimate time for vanity pattern
validate_addressValidate a Solana Base58 address
sign_messageSign a message with session keypair
verify_signatureVerify a signed message
restore_keypairRestore keypair from secret key bytes

Resources (3)

URI PatternDescription
solana://keypair/currentCurrent session keypair info
solana://keypair/{id}Specific keypair by ID
solana://address/{address}Address validation details

Prompts (3)

PromptDescription
generate-walletGuide user through wallet generation
vanity-addressGuide vanity address generation with difficulty estimate
security-reviewReview security of wallet operations

Session State Management

class SolanaWalletMCPServer {
    private sessionKeypair: Keypair | null = null;

    generateKeypair(): KeypairInfo {
        if (this.sessionKeypair) {
            this.sessionKeypair.secretKey.fill(0); // zeroize old
        }
        this.sessionKeypair = Keypair.generate();
        return this.getKeypairInfo();
    }
}

Security Model

  • Session keypair is zeroized when replaced or server shuts down
  • No network calls for key generation
  • All crypto uses @solana/web3.js only
  • Zod schemas validate all tool inputs
  • Secret key bytes are never logged or exposed in resources

Patterns to Follow

  • Validate all inputs with Zod schemas before processing
  • Zeroize secret keys when replaced or on shutdown
  • Return structured JSON for all tool responses
  • Use descriptive error messages for validation failures
  • Keep session state minimal — one active keypair at a time

Common Pitfalls

  • Session keypair is ephemeral — lost when server restarts
  • generate_vanity is single-threaded — long prefixes will be slow
  • sign_message requires an active session keypair — generate_keypair first
  • Resource URIs are case-sensitive