solana-agent-kit

This skill's documentation and examples are internally consistent: its capabilities match its stated purpose of enabling AI agents to perform Solana blockchain operations. However, it surfaces several supply‑chain and operational risks: storing private keys in plaintext config (MCP example), using npx to run MCP at runtime without verification, and exposing an executeBlink endpoint that can send data to arbitrary URLs. Combined with autonomous execution and a broad set of high‑privilege actions, misconfiguration or a compromised package upstream could lead to full wallet compromise and on‑chain loss. I find no direct evidence of intentionally malicious code in this documentation, but the patterns described raise significant security risks that require strict operational controls (hardware/managed wallets, avoid embedding raw private keys in files, verify packages, limit autonomous mode permissions).