Scan Report
5 /100
solanaprox-mcp
MCP server for SolanaProx — pay for AI inference with Solana/USDC. No API keys. Your wallet is your identity.
This is a legitimate MCP server for a Solana/USDC-based AI payment gateway. It exposes four tools (ask_ai, check_balance, estimate_cost, list_models) that send wallet address and prompts to solanaprox.com. No shell execution, filesystem access, credential harvesting, or hidden functionality found. The code is clean, well-structured, and behaves exactly as documented.
Safe to install
This skill is safe to use. No security controls are needed beyond what would be standard for any network-accessing tool. Ensure the SOLANA_WALLET env var is sourced securely.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No filesystem access found in src/index.ts or agent-exammple.js |
| Network | READ | READ | ✓ Aligned | src/index.ts:97-106 — fetch POST to solanaprox.com/v1/messages; src/index.ts:124… |
| Shell | NONE | NONE | — | No child_process, exec, spawn, or shell command invocations found |
| Environment | READ | READ | ✓ Aligned | src/index.ts:17 — reads SOLANA_WALLET and SOLANAPROX_URL from process.env; only … |
| Skill Invoke | NONE | NONE | — | No inter-skill invocation found |
| Clipboard | NONE | NONE | — | No clipboard access found |
| Browser | NONE | NONE | — | No browser automation found |
| Database | NONE | NONE | — | No database access found |
16 findings
Medium External URL 外部 URL
https://badge.fury.io/js/solanaprox-mcp.svg README.md:5 Medium External URL 外部 URL
https://www.npmjs.com/package/solanaprox-mcp README.md:5 Medium External URL 外部 URL
https://img.shields.io/badge/License-MIT-yellow.svg README.md:6 Medium External URL 外部 URL
https://opensource.org/licenses/MIT README.md:6 Medium External URL 外部 URL
https://solanaprox.com README.md:70 Medium External URL 外部 URL
https://solanaprox.com/v1/messages README.md:138 Medium External URL 外部 URL
https://solanaprox.com/api/balance/YOUR_WALLET README.md:194 Medium External URL 外部 URL
https://solscan.io README.md:215 Medium External URL 外部 URL
https://solanaprox.com/docs README.md:222 Medium External URL 外部 URL
https://twitter.com/solanaprox README.md:223 Medium External URL 外部 URL
https://lightningprox.com README.md:224 Medium External URL 外部 URL
https://lpxpoly.com README.md:233 Medium External URL 外部 URL
https://isitarug.com README.md:234 Medium External URL 外部 URL
https://opencollective.com/express package-lock.json:257 Medium External URL 外部 URL
https://opencollective.com/fastify package-lock.json:585 Info Email 邮箱地址
[email protected] SKILL.md:88 File Tree
7 files · 73.6 KB · 2323 lines JSON 3f · 1432L
TypeScript 1f · 375L
Markdown 2f · 326L
JavaScript 1f · 190L
├─
▾
src
│ └─
index.ts
TypeScript
├─
agent-exammple.js
JavaScript
├─
package-lock.json
JSON
├─
package.json
JSON
├─
README.md
Markdown
├─
SKILL.md
Markdown
└─
tsconfig.json
JSON
Dependencies 3 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
@modelcontextprotocol/sdk | ^1.0.0 | npm | No | Standard MCP SDK from Anthropic, no known vulnerabilities |
typescript | ^5.0.0 | npm (dev) | No | Dev dependency only |
ts-node | ^10.9.0 | npm (dev) | No | Dev dependency only |
Security Positives
✓ No shell or subprocess execution — pure HTTP fetch API calls only
✓ No filesystem access — reads/writes no files beyond npm install
✓ No credential harvesting — SOLANA_WALLET used only as API identifier sent to declared endpoint
✓ No obfuscation — all code is clear, readable TypeScript
✓ No hidden instructions, base64, or eval patterns
✓ No suspicious dependencies beyond @modelcontextprotocol/sdk
✓ SKILL.md accurately describes all four tools and their behavior
✓ Error handling is present and appropriate (402 for insufficient balance, etc.)
✓ Wallet address is a public Solana identifier by design — no private key access