Solana Trading Api

Security checks across malware telemetry and agentic risk

Overview

This is a documented Solana trading skill, but it asks an agent to use wallet signing authority for real trades and persistent orders, so users should review it carefully before installing.

Install only if you intentionally want an agent to help trade Solana assets through TradeRouter. Use a dedicated low-balance wallet, avoid exposing a main wallet private key, keep DRY_RUN enabled until tested, require explicit confirmation for token, side, amount, slippage, expiry, and cancellation policy, and check/cancel open orders after use.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill documents live trading, wallet-based identity, and signed transaction submission to a third-party API, but it does not present a prominent upfront warning that disabling dry-run enables irreversible live trades and transmission of wallet addresses/signed transactions. In an agent setting, insufficient disclosure increases the chance of unintended real-money actions and unsafe user consent, especially because the skill includes copy-paste runnable code.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal