Pump Sdk Core
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This instruction-only skill is coherent for developing a Solana Pump SDK, but users should review any generated blockchain transaction code before signing or submitting it.
Safe to install as an instruction-only SDK-development helper, but treat any generated Solana transaction code as financially sensitive: inspect accounts, amounts, slippage, fees, and program IDs before signing or broadcasting anything.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Generated code may help create crypto transaction instructions, so mistakes could lead to unwanted token purchases, sales, migrations, or fee-collection behavior if used in a real transaction.
The skill is intended to help build instructions for blockchain actions that could affect assets if later signed and submitted, though the artifact frames this as SDK development rather than automatic execution.
constructs Solana `TransactionInstruction`s for token creation, buying, selling, migration, and creator fee collection
Review generated instruction-building code carefully and require explicit user approval before composing, signing, or submitting any Solana transaction.
A sensitive RPC URL could expose provider quota or usage metadata if mishandled, although the artifacts do not show logging, exfiltration, private-key use, or wallet access.
The skill requires a Solana RPC endpoint for online account fetches; this is expected for the SDK, but RPC URLs can sometimes include provider API keys or account-specific quota credentials.
requires:
env:
- SOLANA_RPC_URLUse a least-privilege RPC endpoint and avoid embedding private keys or wallet secrets in SOLANA_RPC_URL.