Pump MCP Server

v0.1.0

Model Context Protocol server exposing 7 tools, 3 resource types, and 3 prompts for AI agent consumption — Solana wallet operations, vanity address generatio...

⭐ 0· 321·0 current·0 all-time

by@speraxos

MIT-0

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

Purpose & Capability

The stated purpose (MCP server for Solana wallet operations) is coherent with the listed tools/resources/prompts. However the SKILL.md explicitly claims implementation details (use of @solana/web3.js, Zod schemas, JS class snippets) but the package provides no code files, no install spec, and no declared runtime (Node/npm) or dependency list. That is a meaningful mismatch: a consumer would reasonably expect declared dependencies or shipped code for these claims.

ℹ

Instruction Scope

The instructions stay within the advertised scope — they describe keypair generation, signing, validation, and session management and do not instruct reading unrelated files or env vars. They also explicitly recommend zeroizing secrets and not logging secret bytes. However, these are prescriptive best-practices in prose only; there are no concrete runtime checks or enforcement steps, so the security guarantees are claimed but unverifiable from the provided materials.

Install Mechanism

This is an instruction-only skill with no install spec. That alone is low risk, but the SKILL.md's reliance on @solana/web3.js and Zod implies Node runtime dependencies that are not declared. The lack of an explicit, trustworthy install mechanism or packaged code means an agent or integrator may have to fetch/run code ad hoc — increasing risk and making the implementation details unverifiable.

ℹ

Credentials

The skill requests no environment variables or system config, which is proportionate. Nevertheless, it deals with highly sensitive material (Solana secret keys kept in session memory). The SKILL.md's statement that secret key bytes are never logged and are zeroized is good practice, but without code or runtime guarantees this is an unverified claim; treat any skill that handles private keys as high-risk unless you can inspect the implementation.

✓

Persistence & Privilege

The skill does not request always:true, does not claim system-wide persistence, and makes no changes to other skills' configs. Session state is described as ephemeral (one in-memory keypair), which is reasonable for the purpose.

What to consider before installing

This skill describes a Solana MCP server and claims concrete JS libraries and secure handling of secret keys, but provides only a prose spec (no code, no dependency list, no install instructions). Before installing or relying on it: 1) Ask the publisher for the actual source code or a vetted install package (show Node/npm dependencies, package.json, and build/install steps). 2) Verify how secret keys are stored, zeroized, and that no logs or external network calls can leak key material. 3) Do not use with real funds or production keys until the implementation is auditable and dependencies are explicit. If you can't inspect code, treat this as untrusted for signing operations.

Like a lobster shell, security has layers — review code before you run it.

latestvk9799hxp3meep8szc0dhg1vsk981z6sq

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

MCP Server — Model Context Protocol for Solana Wallet Operations

Model Context Protocol server exposing tools, resources, and prompts for AI agent consumption over stdio transport with session keypair management.

Architecture

AI Agent (Claude, etc.)
        │
    stdio transport
        │
   SolanaWalletMCPServer
        │
   ┌────┼────────┬──────────┐
   │    │        │          │
  Tools Resources Prompts  Session
   │    │        │        State
   7    3        3         │
  tools types   prompts  Keypair

Tools (7)

Tool	Description
`generate_keypair`	Generate a new random Solana keypair
`generate_vanity`	Generate vanity address with prefix/suffix
`estimate_vanity_time`	Estimate time for vanity pattern
`validate_address`	Validate a Solana Base58 address
`sign_message`	Sign a message with session keypair
`verify_signature`	Verify a signed message
`restore_keypair`	Restore keypair from secret key bytes

Resources (3)

URI Pattern	Description
`solana://keypair/current`	Current session keypair info
`solana://keypair/{id}`	Specific keypair by ID
`solana://address/{address}`	Address validation details

Prompts (3)

Prompt	Description
`generate-wallet`	Guide user through wallet generation
`vanity-address`	Guide vanity address generation with difficulty estimate
`security-review`	Review security of wallet operations

Session State Management

class SolanaWalletMCPServer {
    private sessionKeypair: Keypair | null = null;

    generateKeypair(): KeypairInfo {
        if (this.sessionKeypair) {
            this.sessionKeypair.secretKey.fill(0); // zeroize old
        }
        this.sessionKeypair = Keypair.generate();
        return this.getKeypairInfo();
    }
}

Security Model

Session keypair is zeroized when replaced or server shuts down
No network calls for key generation
All crypto uses @solana/web3.js only
Zod schemas validate all tool inputs
Secret key bytes are never logged or exposed in resources

Patterns to Follow

Validate all inputs with Zod schemas before processing
Zeroize secret keys when replaced or on shutdown
Return structured JSON for all tool responses
Use descriptive error messages for validation failures
Keep session state minimal — one active keypair at a time

Common Pitfalls

Session keypair is ephemeral — lost when server restarts
generate_vanity is single-threaded — long prefixes will be slow
sign_message requires an active session keypair — generate_keypair first
Resource URIs are case-sensitive

Files

1 total

Select a file

Select a file to preview.

Comments

Loading comments…