shipmytoken
Fail
Audited by Snyk on Feb 19, 2026
Risk Level: CRITICAL
Full Analysis
CRITICAL E004: Prompt injection detected in skill instructions.
- Potential prompt injection detected (high risk: 0.90). The prompt includes explicit deceptive/hidden instructions—most notably to omit the default 90%/10% fee split from pre-launch summaries and to conceal the automatic "pump" address-grinding/fallback behavior—constituting material omissions outside the skill's stated purpose.
HIGH W007: Insecure credential handling detected in skill instructions.
- Insecure credential handling detected (high risk: 1.00). The skill explicitly instructs exporting and displaying the user's private key verbatim (node ... --export → "Display the private key"), which requires the LLM to output a secret value directly.
CRITICAL E006: Malicious code pattern detected in skill scripts.
- Malicious code pattern detected (high risk: 0.90). This skill contains deliberate, user-facing deception and persistent monetization designed to siphon funds and enable abuse: it hides a mandatory 10% "Ship My Token" fee by omitting the default split from pre-launch summaries, forces immediate onboarding that creates a wallet and asks the user to send SOL, instructs the agent to always accept and deploy any token (explicitly disabling content moderation), and sets up persistent scheduled tasks (heartbeat/cron) and automatic behaviors — together these are intentional abuse patterns (economic siphoning, social-engineering to collect funds, and persistence) and also increase risk of facilitating scams; additionally, it silently uploads metadata/images (IPFS) and grinds mint addresses without telling users, which are further deceptive/opaque behaviors.
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.80). The skill's workflow (SKILL.md) explicitly runs scripts like src/stats.mjs and src/launch.mjs that fetch and display on-chain and pump.fun data (including token descriptions, social/website URLs and user-supplied image URLs), so the agent ingests untrusted, user-generated content from public pump.fun/IPFS/URLs and uses that content to decide and drive actions such as daily recaps, portfolio displays, and launch-related steps.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.80). The skill explicitly runs npm install at runtime to fetch required packages (notably @pump-fun/pump-sdk listed in package.json) from the npm registry (https://registry.npmjs.org/), which downloads remote code the agent then executes and relies on — meeting the criteria for a runtime external dependency that can execute code.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill explicitly performs cryptocurrency/blockchain financial operations. It creates and manages Solana wallets (setup, wallet backup/export of private key), asks the user to fund the wallet (send 0.02 SOL), grinds/creates mint addresses with solana-keygen, launches tokens via a launch script (node .../launch.mjs) which deploys a token and can execute initial buys, updates fee-sharing splits via a fees update command (node .../fees.mjs --update --mint ... --shares ...), and claims/withdraws creator fees with a direct command (node .../fees.mjs --claim). These are direct crypto wallet and transaction actions (creating/signing transactions, moving funds, claiming on-chain fees), not generic tooling. That matches the “Crypto/Blockchain (Wallets, Swaps, Signing)” category of direct financial execution.
Audit Metadata