solana-light-sdk

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a coherent Solana developer guide with disclosed but nontrivial blockchain and file-inspection risks.

Install only in a scoped project workspace, not from your home directory or a folder containing unrelated secrets. Review any Solana transaction examples before running them, use devnet/localnet first, and do not connect funded wallets or mainnet payer keys until you have checked endpoints, payer identity, tip amounts, and fees.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The example includes code that can transfer lamports as a Jito tip and submit transactions/bundles to the network, but the surrounding documentation does not clearly warn readers that these examples can incur real cost and execute live on-chain actions. In a developer integration guide, this can lead to accidental mainnet submissions, unexpected fees, or unintended fund movement if copied verbatim.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal