SolanaProx MCP Server Security Report — Low Risk | ClawSafe

15 /100

SolanaProx MCP Server

AI API gateway using Solana/USDC payments via x402 protocol

Legitimate MCP server for AI API payments via Solana/USDC with no malicious behavior observed, though external service dependency and unversioned dependencies warrant attention.

Skill NameSolanaProx MCP Server

Duration31.1s

Enginepi

✓

Safe to install

This is a legitimate payment-gateway skill. Monitor for service availability and consider pinning @modelcontextprotocol/sdk to a specific version.

Findings 2 items

Severity	Finding	Location
Low	Unpinned Production Dependency Supply Chain @modelcontextprotocol/sdk uses caret range ^1.0.0 allowing minor/patch updates from registry `"@modelcontextprotocol/sdk": "^1.0.0"` → Pin to specific version: "@modelcontextprotocol/sdk": "1.0.0"	`package.json:25`
Info	Wallet Address Transmitted with Every Request Data Exfil SOLANA_WALLET address sent via X-Wallet-Address header to external service on every API call `"X-Wallet-Address": WALLET_ADDRESS` → Document that wallet addresses are pseudonymous on Solana; service only uses it for payment routing	`src/index.ts:111`

Resource	Declared	Inferred	Status	Evidence
Network	`READ`	`READ_WRITE`	✓ Aligned	src/index.ts:108-115 makes POST to /v1/messages
Environment	`READ`	`READ`	✓ Aligned	src/index.ts:18 reads SOLANA_WALLET env var
Filesystem	`NONE`	`NONE`	—	No file operations in codebase
Shell	`NONE`	`NONE`	—	No shell execution detected

17 findings

🔗

Medium External URL 外部 URL

https://badge.fury.io/js/solanaprox-mcp.svg

README.md:5

🔗

Medium External URL 外部 URL

https://www.npmjs.com/package/solanaprox-mcp

README.md:5

🔗

Medium External URL 外部 URL

https://img.shields.io/badge/License-MIT-yellow.svg

README.md:6

🔗

Medium External URL 外部 URL

https://opensource.org/licenses/MIT

README.md:6

🔗

Medium External URL 外部 URL

https://402index.io

README.md:16

🔗

Medium External URL 外部 URL

https://solanaprox.com

README.md:72

🔗

Medium External URL 外部 URL

https://solanaprox.com/v1/messages

README.md:140

🔗

Medium External URL 外部 URL

https://solanaprox.com/api/balance/YOUR_WALLET

README.md:196

🔗

Medium External URL 外部 URL

https://solscan.io

README.md:217

🔗

Medium External URL 外部 URL

https://solanaprox.com/docs

README.md:224

🔗

Medium External URL 外部 URL

https://twitter.com/solanaprox

README.md:225

🔗

Medium External URL 外部 URL

https://lightningprox.com

README.md:226

🔗

Medium External URL 外部 URL

https://lpxpoly.com

README.md:235

🔗

Medium External URL 外部 URL

https://isitarug.com

README.md:236

🔗

Medium External URL 外部 URL

https://opencollective.com/express

package-lock.json:257

🔗

Medium External URL 外部 URL

https://opencollective.com/fastify

package-lock.json:585

📧

Info Email 邮箱地址

[email protected]

SKILL.md:94

File Tree

7 files · 74.3 KB · 2331 lines

JSON 3f · 1432L TypeScript 1f · 375L Markdown 2f · 334L JavaScript 1f · 190L

├─ ▾ 📁 src

│ └─ 📜 index.ts TypeScript 375L · 10.2 KB

├─ 📜 agent-exammple.js JavaScript 190L · 6.0 KB

├─ 📋 package-lock.json JSON 1368L · 47.6 KB

├─ 📋 package.json JSON 49L · 1.1 KB

├─ 📝 README.md Markdown 240L · 5.8 KB

├─ 📝 SKILL.md Markdown 94L · 3.4 KB

└─ 📋 tsconfig.json JSON 15L · 324 B

Dependencies 3 items

Package	Version	Source	Known Vulns	Notes
`@modelcontextprotocol/sdk`	`^1.0.0`	npm	No	Version range allows updates
`typescript`	`^5.0.0`	npm	No	Dev dependency only
`ts-node`	`^10.9.0`	npm	No	Dev dependency only

Security Positives

✓ No credential theft - wallet address is public by design on Solana

✓ No shell execution, base64 obfuscation, or reverse shell patterns

✓ No access to sensitive paths (~/.ssh, ~/.aws, .env)

✓ No data exfiltration to undeclared endpoints

✓ Clean code with proper error handling

✓ MIT licensed with transparent source and author information

Scan Report

Findings 2 items

File Tree

Dependencies 3 items

Security Positives