Security Audit

pump-fun

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CAUTION

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

pump-fun received a trust score of 67/100, placing it in the Caution category. This skill has some security considerations that users should review before deployment.

SkillShield's automated analysis identified 2 findings: 1 critical, 0 high, 1 medium, and 0 low severity. Key findings include Direct Access to Solana Private Key, Unspecified NPM Dependency Risk.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 63/100, indicating areas for improvement.

Last analyzed on February 12, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

63%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

2 findings

Dynamic Code

1 finding

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
CRITICAL	Direct Access to Solana Private Key The skill explicitly requires the `SOLANA_PRIVATE_KEY` environment variable, which grants full programmatic control over the user's Solana wallet. While necessary for the skill's stated functionality (trading and launching tokens), this represents an extremely high level of trust and an elevated risk. A compromise of the skill or its execution environment could lead to the loss of all funds in the associated wallet. The mention of 'Local Transaction API for maximum security' mitigates some network exfiltration risks but does not eliminate the risk of the key being compromised within the execution environment. Users should be strongly advised to use a dedicated wallet with minimal funds for this skill. Implement robust security measures for the skill's execution environment, including strict isolation and regular security audits. Consider exploring alternative authentication methods that do not require direct private key exposure, such as delegated signing or multi-party computation (MPC) solutions, if feasible for the platform.	LLM	SKILL.md:40
MEDIUM	Unspecified NPM Dependency Risk The skill's setup instructions include `npm install`. Without access to the `package.json` and `package-lock.json` files, there is an inherent supply chain risk. Malicious or vulnerable packages could be introduced, potentially leading to command injection, data exfiltration, or credential compromise during the installation process. Provide `package.json` and `package-lock.json` for analysis. Ensure all dependencies are explicitly pinned to exact versions. Regularly audit dependencies for known vulnerabilities using tools like `npm audit`.	LLM	SKILL.md:50

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/1645905df0051c24.svg)](https://skillshield.io/report/1645905df0051c24)