Skill Trust Decision
pumpclaw-agent
The skill generates a legitimate Telegram+web payment template but contains an undocumented deposit-wallet pattern that stores private keys in SQLite, plus unused treasury keypair code creating shadow surface.
Most direct threat evidence
Why this conclusion was reached
1/4 dimensions flagged Block
Declared vs actual capability
1 undeclared or violating capabilities were inferred.
Review
Hidden execution and egress
10 lower-risk artifacts were extracted and still need context.
Pass
Attack chain and severe findings
There is no explicit malicious chain in the report.
Review
Dependencies and supply chain hygiene
4 dependency or supply-chain issues need attention.
What drove the risk score up
Undocumented private key storage pattern +20
SKILL.md safety rule 'Never handle private keys' conflicts with template storing deposit wallet secrets in SQLite; no explicit documentation of this design decision
Unused treasury keypair code +10
server.js:40-43 and server.cjs:72-75 create a treasury Keypair from TREASURY_SECRET_KEY_BASE58 that is never used in any transaction flow
Server-controlled transaction signing +10
SKILL.md 'Never sign transactions on behalf of the user' conflicts with server signing invoices from deposit keypairs (server.js:116-124, server.cjs:210-225)
Most important evidence
Medium Sensitive Access
Deposit wallet private keys stored in plaintext SQLite
The template generates per-user deposit keypairs and stores the base58-encoded secret key (deposit_secret_b58) in a SQLite database. This directly contradicts SKILL.md safety rule 'Never handle private keys / secret key material' and creates severe risk if the database file is accessed.
assets/template/src/server.js:77 Document this design decision explicitly in SKILL.md and consider encrypting SQLite database at rest, using environment-backed keys, or redesigning to avoid server-side key custody.
Medium Doc Mismatch
Unused treasury keypair created from environment secret
Both server.js and server.cjs decode TREASURY_SECRET_KEY_BASE58 into a Keypair and assign it to a 'treasury' variable that is never used in any subsequent code path. This creates shadow attack surface for credential harvesting.
assets/template/src/server.js:40 Remove the unused treasury keypair construction, or document its intended purpose. If it will be used later, implement it fully.
Medium Doc Mismatch
Transaction signing not declared in SKILL.md
SKILL.md states 'Never sign transactions on behalf of the user', but the template server signs invoice transactions from deposit keypairs (server-controlled wallets). While technically not user keys, this operational behavior is not declared.
assets/template/src/server.js:116 Clarify SKILL.md to distinguish between 'user keys' (never handled) and 'service keys' (managed for deposit wallet operation), documenting the trust model.
Low Supply Chain
Native module dependency without explicit security controls
better-sqlite3 is a native Node.js module that reads/writes binary database files. If the module or its build artifacts are compromised, the entire database including stored secrets could be exposed.
assets/template/package.json:12 Pin to exact version and consider adding integrity verification for native dependencies.
Declared capability vs actual capability
Filesystem Pass
Declared WRITE
→ Inferred WRITE
SKILL.md stamps assets/template/ to customer folder Shell Pass
Declared WRITE
→ Inferred WRITE
scripts/stamp_template.sh uses tar/bash Network Pass
Declared READ
→ Inferred READ
Solana RPC URL for payment verification Database Pass
Declared WRITE
→ Inferred WRITE
better-sqlite3 stores deposit wallets and balances Skill Invoke Pass
Declared NONE
→ Inferred NONE
Skill generates project; doesn't execute template credential_theft Block
Declared NONE
→ Inferred WRITE
deposit_secret_b58 stored in SQLite without encryption Suspicious artifacts and egress
Medium External URL
http://127.0.0.1:3033 assets/template/README-FAST.md:4
Medium External URL
http://127.0.0.1:3033/health assets/template/README.md:19
Medium External URL
https://opencollective.com/fastify assets/template/package-lock.json:111
Medium External URL
https://paulmillr.com/funding/ assets/template/package-lock.json:275
Medium External URL
https://www.patreon.com/feross assets/template/package-lock.json:758
Medium External URL
https://feross.org/support assets/template/package-lock.json:762
Medium External URL
https://opencollective.com/express assets/template/package-lock.json:987
Medium External URL
https://dotenvx.com assets/template/package-lock.json:1079
Medium Wallet Address
3j5fMGzUMCxWBJ3dV3a7Wz8y2f assets/template/package-lock.json:1141
Medium External URL
https://paypal.me/kozjak assets/template/package-lock.json:1768
Dependencies and supply chain
| Package | Version | Source | Known vuln | Notes |
|---|---|---|---|---|
| @pump-fun/agent-payments-sdk | 3.0.0 | npm | No | Major version only; supply chain risk for SDK |
| @solana/web3.js | ^1.98.0 | npm | No | Pinned to major version |
| better-sqlite3 | ^12.6.2 | npm | No | Native module; database contains plaintext private keys |
| fastify | ^5.8.2 | npm | No | Pinned to major version |
| grammy | ^1.41.1 | npm | No | Pinned to major version |
| zod | ^4.3.6 | npm | No | Pinned to major version |
File composition
11 files · 3298 lines
JSON 2 files · 2239 linesJavaScript 4 files · 858 linesMarkdown 4 files · 160 linesShell 1 files · 41 lines
Files of concern · 6
references/PUMP_TOKENIZED_AGENTS.md assets/template/package-lock.json https://opencollective.com/fastify · https://paulmillr.com/funding/ · https://www.patreon.com/feross · https://feross.org/support · https://opencollective.com/express · https://dotenvx.com · 3j5fMGzUMCxWBJ3dV3a7Wz8y2f · https://paypal.me/kozjak
assets/template/src/server.js Deposit wallet private keys stored in plaintext SQLite · Unused treasury keypair created from environment secret · Transaction signing not declared in SKILL.md
assets/template/README-FAST.md http://127.0.0.1:3033
assets/template/README.md http://127.0.0.1:3033/health
assets/template/package.json Native module dependency without explicit security controls
Other files · server.cjs · telegram-bot.cjs · standalone-telegram.cjs · SKILL.md · stamp_template.sh
Security positives
Server binds exclusively to 127.0.0.1, preventing remote access
All endpoints except /health require API token authentication
No credential exfiltration or C2 communication detected
No obfuscation, base64 execution, or suspicious download patterns
Rate limiting registered on Fastify (60 req/min)
Input validation using Zod schemas on all endpoints
No remote script execution (curl|bash, wget|sh)
stamp_template.sh uses safe tar copy with no arbitrary command injection
Skill generates templates without executing them, limiting direct attack surface