Pump MCP Server
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pump-mcp-server Version: 0.1.0 The skill is classified as suspicious due to its inherent handling of highly sensitive cryptographic operations, including Solana keypair generation, message signing, and keypair restoration from secret bytes, as described in `SKILL.md`. While the documentation outlines good security practices like zeroization and preventing secret key exposure, the nature of these capabilities presents a significant attack surface for potential vulnerabilities in the underlying implementation or misuse via prompt injection against the AI agent, despite no explicit malicious instructions in the provided markdown.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a real wallet key is restored, an agent could sign messages as that wallet, which may authenticate the user or authorize actions depending on the service receiving the signature.
This shows the skill handles Solana private key material and can produce wallet signatures. The artifact does not define a clear user-approval boundary, key scope, or allowed message type before signatures are made.
`restore_keypair` | Restore keypair from secret key bytes | ... `sign_message` | Sign a message with session keypair |
Use only disposable or test wallets unless the actual implementation enforces explicit approval for every restore and signing action, shows the exact message to be signed, and never logs or exports secrets.
An autonomous agent or compromised prompt context could try to invoke signing-related workflows after a keypair is active.
The wallet tools are explicitly intended for agent consumption over MCP, but the instructions do not describe gating, confirmation, or human review for risky calls such as restoring a keypair or signing a message.
Model Context Protocol server exposing tools, resources, and prompts for AI agent consumption over stdio transport with session keypair management.
Configure MCP/tool permissions so `restore_keypair` and `sign_message` require user confirmation, and avoid enabling autonomous use for wallet-signing operations.
You would need to separately trust and inspect whatever external MCP server or package you actually run before giving it wallet keys.
The reviewed artifact describes a wallet MCP server and security model, but no runnable implementation or install path is included for review.
No install spec — this is an instruction-only skill.
Verify the upstream repository/package, pin versions, and review the implementation before using this with any valuable Solana wallet.