Back to skill

Security audit

Solana

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says, but it gives an agent real Solana spending authority with weak safeguards and some misleading token-launch guidance.

Review carefully before installing. Use only a new low-balance wallet, test on devnet first, avoid giving an autonomous agent a valuable private key, manually verify every recipient, amount, token mint, swap route, fee, and network before broadcasting, and do not use the vanity-address guidance to imply authenticity, endorsement, or safety.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly requires environment secrets, reads and writes local files, and performs networked financial operations, yet it does not declare permissions. This weakens host-side policy enforcement and informed consent, especially because the skill can handle private keys and submit real mainnet transactions.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The documentation explicitly recommends vanity mint addresses ending in 'pump' to make tokens look more legitimate. That is a deception-oriented instruction unrelated to normal wallet management and can facilitate impersonation, market manipulation, or scam token launches.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The help text explicitly suggests using a vanity mint key ending in 'pump' to make tokens look 'more legit-looking.' That is deceptive guidance that can facilitate social engineering or misleading branding in a token-launch tool, especially in a retail crypto context where perceived legitimacy materially affects user trust.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad triggers like 'wallet' and 'swap' increase the chance this skill is invoked in ambiguous contexts where a user did not intend Solana financial tooling. In this case, accidental invocation is more dangerous because the skill can expose credentials, query balances, and initiate irreversible on-chain actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill documents sending SOL/tokens, swapping assets, and launching tokens on mainnet by default without prominent warnings that these actions spend real assets and are generally irreversible. In a wallet-management context, missing spend-risk warnings materially raises the chance of accidental financial loss.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The swap command signs and executes a live on-chain transaction immediately after receiving a quote, with no explicit confirmation step, no display of full transaction details, and no slippage/recipient/program validation visible to the user. In a wallet-operation skill, this is dangerous because any mistaken input, manipulated API response, or unexpected route can directly cause irreversible asset loss.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script serializes a signed Solana transaction and sends it to Jupiter's external execute endpoint without an explicit warning that the signed payload is being disclosed to a third party. Although transaction submission to a relay/API can be legitimate, users should be clearly informed because the signed transaction can reveal trading intent and can be replayed or mishandled within its validity window if controls are weak.

Natural-Language Policy Violations

Medium
Confidence
98% confidence
Finding
The CLI examples/prompts encourage creating vanity mint addresses specifically to make tokens appear more legitimate. In the context of a token-launch script, this promotes deceptive presentation and can aid scam deployment by making fraudulent assets seem trustworthy.

Missing User Warnings

High
Confidence
96% confidence
Finding
The script defaults to mainnet and sends a token-launch transaction, optionally including a dev buy that spends SOL, without any interactive confirmation or dry-run safeguard. Combined with skip_preflight=True, this increases the chance of accidental irreversible loss or unintended on-chain actions from mistyped parameters or operator error.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The token send path can silently create the recipient's associated token account and then immediately broadcast the transaction, which adds an extra on-chain action and fee beyond the user's stated intent to 'send tokens'. In an agent skill context, where commands may be triggered indirectly or by natural-language workflows, the lack of an explicit confirmation step increases the risk of unintended fund expenditure and surprise state changes on mainnet.

Ssd 4

Medium
Confidence
99% confidence
Finding
The instruction to use vanity addresses for 'more legit-looking tokens' normalizes deceptive token issuance. This is not merely poor phrasing; it encourages misrepresentation that can directly support fraud against traders or users evaluating a newly launched asset.

Ssd 4

Medium
Confidence
97% confidence
Finding
Recommending vanity mint keys to make tokens look more legitimate encourages deceptive branding behavior. In a crypto asset launch workflow, such framing can directly support fraudulent or manipulative launches by increasing false user confidence.

Env Variable Harvesting

High
Category
Data Exfiltration
Content
def get_keypair() -> Keypair:
    """Load keypair from environment variable."""
    private_key = os.environ.get("SOLANA_PRIVATE_KEY")

    if not private_key:
        print("Error: SOLANA_PRIVATE_KEY environment variable not set.")
Confidence
80% confidence
Finding
os.environ.get("SOLANA_PRIVATE_KEY

Credential Access

High
Category
Privilege Escalation
Content
#!/usr/bin/env python3
"""
Solana Wallet Initialization
Creates a new wallet and saves the private key to .env file
"""

import os
Confidence
92% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def save_to_env(private_key_base58: str, env_path: Path = None):
    """Save private key to .env file."""
    if env_path is None:
        env_path = Path.cwd() / ".env"
Confidence
94% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
def save_to_env(private_key_base58: str, env_path: Path = None):
    """Save private key to .env file."""
    if env_path is None:
        env_path = Path.cwd() / ".env"
    
    env_content = {}
Confidence
94% confidence
Finding
.env"

Credential Access

High
Category
Privilege Escalation
Content
# Update or add SOLANA_PRIVATE_KEY
    env_content["SOLANA_PRIVATE_KEY"] = private_key_base58
    
    # Write back to .env
    with open(env_path, "w") as f:
        for key, value in env_content.items():
            f.write(f"{key}={value}\n")
Confidence
97% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
private_key_bytes = bytes(keypair)
    private_key_base58 = base58.b58encode(private_key_bytes).decode("utf-8")
    
    # Save to .env
    saved_path = save_to_env(private_key_base58, env_path)
    
    print("✅ New wallet created!\n")
Confidence
96% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
print()
    print("To use the wallet, export the private key to your environment:")
    print()
    print("  export SOLANA_PRIVATE_KEY=$(grep SOLANA_PRIVATE_KEY .env | cut -d '=' -f2)")
    print()
    print("Or source the .env file:")
    print()
Confidence
91% confidence
Finding
.env

Credential Access

High
Category
Privilege Escalation
Content
print()
    print("  export SOLANA_PRIVATE_KEY=$(grep SOLANA_PRIVATE_KEY .env | cut -d '=' -f2)")
    print()
    print("Or source the .env file:")
    print()
    print("  source .env")
    print()
Confidence
93% confidence
Finding
.env

Unpinned Dependencies

Low
Category
Supply Chain
Content
solana>=0.34.0
solders>=0.21.0
base58>=2.1.0
python-dotenv>=1.0.0
Confidence
98% confidence
Finding
solana>=0.34.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
solana>=0.34.0
solders>=0.21.0
base58>=2.1.0
python-dotenv>=1.0.0
aiohttp>=3.9.0
Confidence
98% confidence
Finding
solders>=0.21.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
solana>=0.34.0
solders>=0.21.0
base58>=2.1.0
python-dotenv>=1.0.0
aiohttp>=3.9.0
Confidence
96% confidence
Finding
base58>=2.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
solana>=0.34.0
solders>=0.21.0
base58>=2.1.0
python-dotenv>=1.0.0
aiohttp>=3.9.0
Confidence
99% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
solders>=0.21.0
base58>=2.1.0
python-dotenv>=1.0.0
aiohttp>=3.9.0
Confidence
99% confidence
Finding
aiohttp>=3.9.0

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.