Back to skill

Security audit

Solana Payments

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only guide for creating Solana USDC subscription checkout links, with payment risks that are disclosed and aligned with its purpose.

Before installing or using it, confirm the npm package source, pin the dependency version, and review each generated checkout URL. Check the recipient public key, amount, billing frequency, fixed gateway, success/cancel URLs, and whether auto-renew is enabled. Avoid putting sensitive customer data in tracking IDs or memos because payment metadata may be persistent or visible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs agents to produce a final subscription URL that can set up recurring payments, and it emphasizes a fixed gateway that enables an operator to trigger payments when due, but it does not require an explicit user confirmation or present prominent safety warnings before generating or sharing the payment-enabling URL. In an agent setting, this creates a meaningful risk of unintended or insufficiently understood financial commitment, especially because auto-renew and payment-triggering behavior are central to the workflow.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.