solana-rent-free-dev

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Solana/Light Protocol developer guidance skill with no evidence of hidden credential collection, persistence, or destructive behavior.

Install this only if you intend to use Light Protocol/Solana development guidance. Verify the Lightprotocol/skills repository before remote installs, prefer devnet or test wallets while experimenting, and review any solana, anchor, cargo, light, plugin, or npx command before allowing it to run.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The skill states that skills are auto-discovered and invoked based on broad context such as asking about light-token, DeFi, payments, or program migration. That trigger surface is generic enough to cause the skill to activate in loosely related conversations, which can steer an agent into using this skill when the user did not explicitly request it. In this case the content is mostly documentation-oriented, so the issue is not directly dangerous by itself, but broad auto-invocation increases the chance of unintended tool use, installation guidance, or externally sourced dependency recommendations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal