Skill Trust Decision

pumpclaw-agent

Name: pumpclaw-agent Trust Review Report
Item: pumpclaw-agent
Rating: 45
Author: ClawSafe

代码存在明确的文档-行为不符：SKILL.md声明"永不签署交易"但实际在buildAndPayInvoice中执行了tx.sign()；同时未声明将用户私钥(Base58)存储于SQLite数据库。

Install decision first Source: ClawHub Scanned: Apr 6, 2026

Files 11

Artifacts 10

Violations 1

Findings 5

Most direct threat evidence

通过SKILL.md获取项目信息，伪装成合法的Telegram+Pump.fun支付模板 Entry · SKILL.md

部署该模板后，服务器持有所有用户存款钱包的Base58编码私钥 Escalation · assets/template/src/server.js

数据库被攻破后，攻击者可解码私钥并控制所有用户存款钱包(SOL/代币) Impact · assets/template/src/server.js

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Review

Hidden execution and egress

10 lower-risk artifacts were extracted and still need context.

Block

Attack chain and severe findings

The report includes 3 attack-chain steps and 2 severe findings.

Pass

Dependencies and supply chain hygiene

Dependencies are present but no obvious high-risk issue stands out.

Attack Chain

通过SKILL.md获取项目信息，伪装成合法的Telegram+Pump.fun支付模板

Entry · SKILL.md:1

部署该模板后，服务器持有所有用户存款钱包的Base58编码私钥

Escalation · assets/template/src/server.js:55

数据库被攻破后，攻击者可解码私钥并控制所有用户存款钱包(SOL/代币)

Impact · assets/template/src/server.js:52

What drove the risk score up

文档-行为不符(doc_deception) +25

SKILL.md声明"never sign transactions on behalf of the user"但代码在buildAndPayInvoice执行tx.sign()

未声明的私钥存储 +15

deposit_wallets表存储Base58编码的私钥，SKILL.md仅声明"never log or output private keys"，未提及数据库存储

供应链风险 +10

package.json依赖使用^前缀版本范围，未锁定具体版本

正面安全措施 +-10

有API认证、速率限制、输入验证、仅本地监听

Most important evidence

High Doc Mismatch

SKILL.md声明与代码行为不符：交易签名

SKILL.md安全规则明确声明"Never sign transactions on behalf of the user"，但server.js第119行(server.cjs第124行)buildAndPayInvoice函数中执行了tx.sign(payerKeypair)，代表用户(存款钱包)签署交易。

assets/template/src/server.js:119

若此行为预期功能则修改SKILL.md声明；若非预期则移除该行代码并使用Pump SDK的代付机制。

High Doc Mismatch

SKILL.md未声明私钥存储行为

SKILL.md仅声明"Never log or output private keys / secret key material"，但代码在SQLite deposit_wallets表中以deposit_secret_b58字段存储Base58编码的私钥，可被解码还原私钥。

assets/template/src/server.js:55

1) 在SKILL.md添加"Stores generated deposit keypairs in SQLite"声明；2) 生产环境应使用HSM或钱包SDK的委托机制替代直接存储私钥。

Medium Sensitive Access

用户私钥在服务器端生成

getOrCreateDepositWallet为每个用户生成新的Keypair并存储私钥，服务器掌握所有用户存款钱包的私钥，数据库被攻破则所有钱包被盗。

assets/template/src/server.js:52

使用PDA(Program Derived Address)或分层钱包避免服务器持有私钥。

Medium Supply Chain

依赖版本未锁定

package.json所有依赖使用^前缀版本范围，允许自动升级，存在依赖供应链攻击风险。

assets/template/package.json:12

使用package-lock.json并验证SHA256，或使用npm install --package-lock-only生成lock文件。

Low Priv Escalation

票据验证逻辑允许小额欺骗

waitForDeposit使用绝对金额检查(bal >= lamports)，用户可向钱包汇入超过请求金额的SOL，系统仍会接受。

assets/template/src/server.js:74

根据业务需求决定是否需要精确金额匹配。

Declared capability vs actual capability

Filesystem Pass

Declared READ

→

Inferred READ

scripts/stamp_template.sh:29 tar复制模板目录

Shell Pass

Declared NONE

→

Inferred NONE

无shell命令执行

Network Pass

Declared READ

→

Inferred READ

server.js:188 fastify.listen仅绑定127.0.0.1

Database Block

Declared WRITE

→

Inferred WRITE

server.js:55-60 未在SKILL.md声明SQLite存储deposit_secret_b58

Suspicious artifacts and egress

Medium External URL

http://127.0.0.1:3033

assets/template/README-FAST.md:4

Medium External URL

http://127.0.0.1:3033/health

assets/template/README.md:19

Medium External URL

https://opencollective.com/fastify

assets/template/package-lock.json:111

Medium External URL

https://paulmillr.com/funding/

assets/template/package-lock.json:275

Medium External URL

https://www.patreon.com/feross

assets/template/package-lock.json:758

Medium External URL

https://feross.org/support

assets/template/package-lock.json:762

Medium External URL

https://opencollective.com/express

assets/template/package-lock.json:987

Medium External URL

https://dotenvx.com

assets/template/package-lock.json:1079

Medium Wallet Address

3j5fMGzUMCxWBJ3dV3a7Wz8y2f

assets/template/package-lock.json:1141

Medium External URL

https://paypal.me/kozjak

assets/template/package-lock.json:1768

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
@pump-fun/agent-payments-sdk	`3.0.0`	npm	No	^前缀版本范围
@solana/web3.js	`^1.98.0`	npm	No	^前缀版本范围
better-sqlite3	`^12.6.2`	npm	No	^前缀版本范围
dotenv	`^17.3.1`	npm	No	^前缀版本范围
fastify	`^5.8.2`	npm	No	^前缀版本范围

File composition

11 files · 3298 lines

JSON 2 files · 2239 linesJavaScript 4 files · 858 linesMarkdown 4 files · 160 linesShell 1 files · 41 lines

Files of concern · 6

references/PUMP_TOKENIZED_AGENTS.md Markdown · 21 lines

assets/template/package-lock.json JSON · 2215 lines

https://opencollective.com/fastify · https://paulmillr.com/funding/ · https://www.patreon.com/feross · https://feross.org/support · https://opencollective.com/express · https://dotenvx.com · 3j5fMGzUMCxWBJ3dV3a7Wz8y2f · https://paypal.me/kozjak

assets/template/src/server.js JavaScript · 251 lines

SKILL.md声明与代码行为不符：交易签名 · SKILL.md未声明私钥存储行为 · 用户私钥在服务器端生成 · 票据验证逻辑允许小额欺骗

assets/template/README-FAST.md Markdown · 31 lines

http://127.0.0.1:3033

assets/template/README.md Markdown · 30 lines

http://127.0.0.1:3033/health

assets/template/package.json JSON · 24 lines

依赖版本未锁定

Other files · server.cjs · telegram-bot.cjs · standalone-telegram.cjs · SKILL.md · stamp_template.sh

Security positives

有API Token认证机制保护端点

使用@fastify/rate-limit进行速率限制

使用zod进行严格的输入验证

服务器仅绑定127.0.0.1而非0.0.0.0

使用事务确认机制处理区块链交易

有防重放的invoice状态管理