ClawHub

solana-development

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only Solana development skill with expected blockchain deployment and wallet guidance, not hidden automation.

This skill is reasonable to install for Solana development, but run blockchain commands only after checking the cluster, wallet, keypair path, and transaction effects. Prefer devnet/localnet first, protect private keys and API keys, and independently review security examples before using them in production.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
This example is labeled as 'read-only', but it constructs a mutable LightAccount with `new_mut()` and invokes the Light System Program, which consumes and re-creates compressed state on-chain. Developers following this pattern may unintentionally perform writes, incur state transitions, and introduce logic bugs or replay/concurrency issues because the operation is not actually read-only.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
This is a real documentation security flaw because the section labels a pattern as "Secure" while showing code that still reads account state across a CPI without clearly distinguishing what is fresh versus what must be re-deserialized. In a Solana security reference, readers may copy this example and assume cached or previously interpreted state remains trustworthy after external calls, leading to stale-state bugs, incorrect authorization decisions, or invariant violations in production programs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal