solana-pay
Fail
Audited by Gen Agent Trust Hub on Feb 14, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE] (HIGH): The skill requires the environment variable
SOLANA_KEYPAIR_PATH, which points to the user's private Solana key (e.g.,~/.config/solana/id.json). Granting an AI agent access to this path allows it to read the private key, which could lead to total loss of funds if the agent is compromised or misused. - [COMMAND_EXECUTION] (MEDIUM): Shell scripts like
pos_payment.shandwait_payment.shinterpolate variables such asORDER_ID,AMOUNT, andTOKENdirectly into shell commands andcurlrequests without sanitization. If these inputs are sourced from untrusted user prompts, it creates a vector for shell command injection. - [DATA_EXFILTRATION] (MEDIUM): Because the skill has access to both a sensitive file (the private key) and the network (via
curl), it could be instructed or compromised to send the contents of the keypair file to an external endpoint masquerading as an RPC provider. - [PROMPT_INJECTION] (MEDIUM): The skill ingests untrusted data from the Solana blockchain (such as transaction memos and signatures) via RPC calls. These inputs enter the agent's context without sanitization or boundary markers, creating a surface for indirect prompt injection that could influence the agent's subsequent decision-making or command generation.
Recommendations
- AI detected serious security threats
Audit Metadata