ClawHub

Solana Connect

Security checks across malware telemetry and agentic risk

Overview

This Solana wallet skill matches its stated purpose, but it can move real funds with a raw private key while overstating key protection and documenting approval bypasses.

Install only after treating this as a high-impact financial tool. Use testnet or a dedicated low-value wallet, do not provide a primary wallet private key to an agent, keep dry-run enabled by default, verify network/recipient/amount yourself, and avoid `skipConfirmation` for real funds.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The README makes a strong security claim that private keys are never exposed to the agent, but the documented API and examples require callers to provide `privateKey` directly to functions like `sendSol` and `connectWallet`. In an AI-agent context, this mismatch is dangerous because developers may trust the documentation and route sensitive key material through the agent runtime, enabling key disclosure, misuse, or unauthorized signing.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The README markets the toolkit as 'safe by default' with dry-run and human confirmation, yet it also documents and normalizes `skipConfirmation: true` for real transactions. That inconsistency can mislead integrators into assuming safeguards remain in place while examples explicitly demonstrate bypassing them, increasing the risk of unintended or automated fund transfers.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file header claims that testnet mode is enforced, but the actual RPC endpoint is taken from SOLANA_RPC_URL and can therefore point to mainnet. In an agent-integrated wallet skill, this discrepancy is dangerous because operators or upstream tooling may rely on the documented safety guarantee and unintentionally enable real-value transactions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code advertises human confirmation for large transfers, but the skipConfirmation option completely bypasses that control when dryRun is false. In an AI-agent context, exposing a bypassable confirmation flag undermines the primary safeguard against unauthorized or prompt-induced high-value transactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example shows how to execute a real Solana transaction while explicitly skipping confirmation, but it does not clearly warn that blockchain transfers are irreversible and may immediately move funds. In a skill intended for autonomous agents, such examples are especially risky because they encourage copy-paste usage patterns that disable human oversight.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation explicitly shows how to perform a real on-chain transfer with dryRun disabled and skipConfirmation enabled, which normalizes bypassing a core safety control. In an agent context, this materially increases the risk of unauthorized or mistaken irreversible fund transfers, especially because blockchain transactions cannot be rolled back once submitted.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
When skipConfirmation is used, the function sends a real transaction directly with no guaranteed user-facing disclosure or approval step. In a blockchain transfer skill, this is especially dangerous because transactions are irreversible and an agent or compromised workflow could move funds silently once given signing material.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal