solana-dev-rent-free

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-focused Solana/Light Protocol development skill with disclosed tools and no evidence of secret collection, hidden execution, or persistence.

Reasonable to install for Light Protocol or Solana rent-free account development. Verify the GitHub source and current protocol status before relying on the examples, and do not provide wallet keypairs, seed phrases, production RPC tokens, or signing credentials to the skill or its subagents.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 81% confidence
Finding: The skill presents very broad activation cues such as asking about light-token, defi, payments, or program migration, which are common topics in normal Solana development discussions. This can cause the agent to auto-invoke the skill in situations where the user did not explicitly request it, increasing the chance of unwanted capability loading, overreach, or routing into external documentation and MCP-backed guidance. In this context, the risk is elevated because the skill is large, installs multiple sub-skills, and encourages automatic use across a wide domain.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal