Solana CLI for trading, prediction markets, defi and x402 payments

Security checks across malware telemetry and agentic risk

Overview

This is a broad Solana wallet and trading CLI skill that can affect real funds, but its sensitive behavior is mostly disclosed and matches its stated purpose.

Install only if you intend to let an agent help with real Solana wallet operations. Use a dedicated low-balance wallet, configure permissions and spending limits before trading, keep ~/.sol/ off-limits to agents and other tools, prefer --dry-run or --quote-only first, and require explicit human confirmation for transfers, swaps, burns, closes, borrowing, staking, LP, prediction trades, and x402 payments.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (14)

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The documentation exposes destructive token-management commands (`burn`, `close --all`, `--burn`) that can permanently destroy assets or alter wallet state, but these capabilities are not called out in the skill description/manifest context provided to users. That mismatch increases the chance that an agent or user invokes high-risk operations without understanding the full capability surface, especially in an autonomous CLI workflow handling real wallets.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The skill advertises a very broad set of high-risk financial and wallet-management actions, making it likely to be invoked for many ambiguous crypto requests without strong safety boundaries. In an agent setting, over-broad routing can lead to unintended execution of money-moving, trading, borrowing, or wallet-modifying commands when the user only asked for information or exploration.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The wallet creation/import section tells the agent how to create and import wallets but does not immediately warn that these actions write sensitive private key material to local disk. In agent-driven environments, this omission can cause users to authorize wallet operations without appreciating that long-lived secrets are being created and persisted on the host.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation states that `sol fetch` will automatically build and partially sign a USDC payment transaction and retry the request when a server returns HTTP 402, but it does not place a prominent safety warning up front about spending funds, trusting remote payment requirements, and transmitting payment-related signed data to an external service. In a wallet/trading skill, this is materially risky because users may treat it like ordinary `curl` and unintentionally authorize payments to arbitrary endpoints.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This reference documents commands that directly move assets and alter live lending/borrowing positions, but it does not clearly warn users that these actions are irreversible on-chain operations with financial risk. In a wallet/trading skill, that omission is security-relevant because users may treat examples and command references as low-risk informational commands and accidentally deposit, borrow, repay, or withdraw real funds.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation states that the CLI auto-picks the best protocol or defaults to a protocol without prominently warning that funds may be routed to an automatically selected venue. In a multi-protocol DeFi context, silent defaulting increases the chance of users sending assets to a protocol they did not intend to use, with different risks, liquidity, terms, or trust assumptions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This section documents liquidity deposit, withdrawal, farming, and pool-creation commands that can directly move or lock user funds, but it does not place a clear, explicit warning near the actionable commands about loss risks such as impermanent loss, adverse price movement, slippage, smart-contract/protocol risk, or irreversible mistakes. In a wallet/trading skill, users may treat command examples as safe defaults, so omission of prominent risk warnings can lead to real financial loss even without any code exploit.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documented `buy`, `sell`, and `claim` commands initiate real-money financial actions using USDC and on-chain positions, but the reference does not clearly warn that these actions can cause immediate financial loss, may be difficult or impossible to reverse once submitted, and may have market/settlement risk. In a CLI skill intended to let users trade prediction markets directly, omission of explicit transaction-risk warnings increases the chance of accidental or uninformed execution of costly actions.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation instructs users to create stake accounts and withdraw or deactivate stake without clearly warning that these commands move real on-chain funds and can trigger irreversible or delayed staking state changes. In a CLI skill focused on live Solana wallet and trading operations, this omission increases the chance of accidental fund movement, unintended delegation, or confusion around cooldown timing and withdrawal availability.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: `sol token burn` is an irreversible asset-destruction operation, yet the reference presents it as a normal command with examples and flags but no explicit warning that burned tokens cannot be recovered. In a wallet/trading skill, an agent or user could mistakenly destroy balances—potentially entire holdings with `--all`—causing permanent financial loss.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The account-closing section documents bulk operations such as `sol token close --all --burn` without a strong warning that these commands can modify many wallet accounts at once and may first burn residual token dust. While account closure itself is not always harmful, in combination with bulk selection and burn behavior it can lead to unintended wallet changes and permanent loss of residual assets.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The troubleshooting guide instructs users to run a destructive deletion command against the application's SQLite database without a prominent warning or safer recovery steps first. In a wallet/trading context, deleting local state can cause loss of transaction history, portfolio snapshots, and operational data, and users may run it reflexively while troubleshooting.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The documentation explicitly states that newly created Ed25519 keypairs are stored on disk under ~/.sol/wallets/<name>.json. Although it mentions chmod 600, it does not warn users that these files contain full private key material whose compromise enables complete wallet takeover and irreversible asset theft. In a wallet/trading skill, this omission is more dangerous because users are likely to create hot wallets that hold real funds.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The import instructions tell users to copy existing key files into ~/.sol/wallets/ but provide no warning that the source file and destination both contain highly sensitive private key material. Users may import keys from insecure paths, leave duplicate secret-bearing files behind, or mishandle Solana CLI keypairs, any of which can expose wallets to theft. Because this skill is for payments, trading, and yield actions, imported wallets may control valuable assets and protocol positions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal