Pump MCP Server
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a real wallet key is restored, an agent could sign messages as that wallet, which may authenticate the user or authorize actions depending on the service receiving the signature.
This shows the skill handles Solana private key material and can produce wallet signatures. The artifact does not define a clear user-approval boundary, key scope, or allowed message type before signatures are made.
`restore_keypair` | Restore keypair from secret key bytes | ... `sign_message` | Sign a message with session keypair |
Use only disposable or test wallets unless the actual implementation enforces explicit approval for every restore and signing action, shows the exact message to be signed, and never logs or exports secrets.
An autonomous agent or compromised prompt context could try to invoke signing-related workflows after a keypair is active.
The wallet tools are explicitly intended for agent consumption over MCP, but the instructions do not describe gating, confirmation, or human review for risky calls such as restoring a keypair or signing a message.
Model Context Protocol server exposing tools, resources, and prompts for AI agent consumption over stdio transport with session keypair management.
Configure MCP/tool permissions so `restore_keypair` and `sign_message` require user confirmation, and avoid enabling autonomous use for wallet-signing operations.
You would need to separately trust and inspect whatever external MCP server or package you actually run before giving it wallet keys.
The reviewed artifact describes a wallet MCP server and security model, but no runnable implementation or install path is included for review.
No install spec — this is an instruction-only skill.
Verify the upstream repository/package, pin versions, and review the implementation before using this with any valuable Solana wallet.