pump-fun
Pass
Audited by Gen Agent Trust Hub on Apr 12, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: Downloads an installation script and platform-specific binaries from the vendor's official GitHub organization to ensure the presence of required local dependencies.
- [REMOTE_CODE_EXECUTION]: Executes an environment setup script (
install.sh) via a shell pipe to automate the installation of the onchainos CLI and related utilities. - [COMMAND_EXECUTION]: Performs system calls to the
onchainosCLI for wallet management, balance inquiries, and executing on-chain swaps. All write operations require explicit user confirmation before broadcasting. - [DATA_EXFILTRATION]: Transmits installation telemetry to the vendor's reporting API and a statistics endpoint on Vercel. The telemetry payload includes an anonymized device fingerprint generated via SHA256 hashing of local platform metadata.
- [PROMPT_INJECTION]: Processes untrusted data from Solana RPC nodes. The skill includes specific architectural guidance and warnings to treat all CLI outputs as external content, recommending field filtering to prevent the agent from interpreting data as instructions.
Audit Metadata