Pump MCP Server
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a code-free description of a Solana wallet MCP helper; its private-key and signing features are disclosed but should be used only with keys and messages the user intentionally approves.
Treat this as documentation rather than a verified MCP server. Do not paste or restore a valuable Solana private key unless you have inspected and trust the actual implementation, and only allow message signing when you understand exactly what is being signed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a real wallet key is restored, the agent/server may be able to sign messages as that wallet during the session.
The skill documents handling Solana private-key material and using it to sign messages, which is sensitive delegated wallet authority even though it is aligned with the stated wallet-operations purpose.
`sign_message` | Sign a message with session keypair ... `restore_keypair` | Restore keypair from secret key bytes
Use only keys you intend to expose to this MCP server, prefer test or limited-purpose wallets, and review every message before allowing it to be signed.
Users cannot confirm from this package alone how the wallet tools are implemented or whether the stated security model is enforced.
The package does not include an installable MCP server implementation in the provided artifacts, so the documented claims such as zeroization, no network calls, and no secret logging cannot be independently verified here.
No install spec — this is an instruction-only skill.
Before using with real keys, inspect and install only a trusted implementation from a known source, and verify that it matches the documented behavior.