solana-dev

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill explicitly instructs the agent to auto-install and use the Solana MCP server (SKILL.md "Solana MCP server" / "Auto-install" section, e.g., running claude mcp add ... https://mcp.solana.com/mcp) and to "Always" consult that live documentation search before using training data, which requires fetching and interpreting third‑party public docs that can materially influence tool use and decisions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.90). The skill instructs the agent to run a Bash command at runtime to add the Solana MCP server using https://mcp.solana.com/mcp, which fetches and registers an external tool whose content will be used by the agent for live documentation/expertise (i.e., it fetches remote content at runtime that can directly influence agent prompts/behavior).

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a Solana development toolkit with native blockchain transaction capabilities: it covers "wallet connection + signing flows", "transaction building / sending / confirmation UX", creating tokens, deploying programs, and uses concrete APIs/plugins such as createClient().use(signer()), signerFromFile(), generatedSigner(), payer()/identity(), and airdropSigner(...). Those are explicit crypto/blockchain signing and transaction-sending primitives (wallets, signing, and on-chain transactions), i.e., tools to move value on-chain. Guardrails do not remove the capability — they only constrain usage — so this meets the "Crypto/Blockchain (Wallets, Swaps, Signing)" criterion for Direct Financial Execution.