ClawHub

solana-payments-wallet-dev

Security checks across malware telemetry and agentic risk

Overview

This is a transparent Solana payments and wallet development guide; it includes sensitive signing examples, but they are disclosed and fit the skill’s purpose.

Install this only for Solana payment or wallet development. Start on devnet, review every token, amount, recipient, network, and signing request before using real funds, keep Privy treasury credentials server-side in a secrets manager, and avoid exposing them to frontends or agent-wide environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation includes ready-to-use examples for transfers, wrapping, and unwrapping tokens that can move funds and create token accounts, but it does not prominently warn integrators to obtain explicit user consent, clearly display amounts/recipients, or explain that account-creation side effects may occur. In a wallet and payments skill, developers often copy examples directly into production flows, so missing safety guidance can lead to deceptive or silent fund movements even if the underlying SDK calls are legitimate.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples include direct asset-moving operations such as transfer, wrap, and unwrap, but they do not prominently warn integrators that these calls sign and submit state-changing transactions affecting user funds. In a wallet/payments skill, omission of explicit safety guidance can lead developers to embed these examples into automated flows or unclear UX, increasing the risk of unintended or unauthorized token movement.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal