安全决策报告
pumpclaw-agent
The skill generates a legitimate Telegram+web payment template but contains an undocumented deposit-wallet pattern that stores private keys in SQLite, plus unused treasury keypair code creating shadow surface.
最直接的威胁证据
为什么得出这个结论
1/4 个维度触发 阻止
声明与实际能力
发现 1 项声明之外的能力或越权行为。
复核
隐藏执行与外联
提取到 10 个一般风险产物,需要结合上下文判断。
通过
攻击链与高危发现
没有形成明确的恶意路径。
复核
依赖与供应链卫生
发现 4 项需要关注的依赖或供应链线索。
风险分是怎么被拉高的
Undocumented private key storage pattern +20
SKILL.md safety rule 'Never handle private keys' conflicts with template storing deposit wallet secrets in SQLite; no explicit documentation of this design decision
Unused treasury keypair code +10
server.js:40-43 and server.cjs:72-75 create a treasury Keypair from TREASURY_SECRET_KEY_BASE58 that is never used in any transaction flow
Server-controlled transaction signing +10
SKILL.md 'Never sign transactions on behalf of the user' conflicts with server signing invoices from deposit keypairs (server.js:116-124, server.cjs:210-225)
最关键的证据
中危 敏感访问
Deposit wallet private keys stored in plaintext SQLite
The template generates per-user deposit keypairs and stores the base58-encoded secret key (deposit_secret_b58) in a SQLite database. This directly contradicts SKILL.md safety rule 'Never handle private keys / secret key material' and creates severe risk if the database file is accessed.
assets/template/src/server.js:77 Document this design decision explicitly in SKILL.md and consider encrypting SQLite database at rest, using environment-backed keys, or redesigning to avoid server-side key custody.
中危 文档欺骗
Unused treasury keypair created from environment secret
Both server.js and server.cjs decode TREASURY_SECRET_KEY_BASE58 into a Keypair and assign it to a 'treasury' variable that is never used in any subsequent code path. This creates shadow attack surface for credential harvesting.
assets/template/src/server.js:40 Remove the unused treasury keypair construction, or document its intended purpose. If it will be used later, implement it fully.
中危 文档欺骗
Transaction signing not declared in SKILL.md
SKILL.md states 'Never sign transactions on behalf of the user', but the template server signs invoice transactions from deposit keypairs (server-controlled wallets). While technically not user keys, this operational behavior is not declared.
assets/template/src/server.js:116 Clarify SKILL.md to distinguish between 'user keys' (never handled) and 'service keys' (managed for deposit wallet operation), documenting the trust model.
低危 供应链
Native module dependency without explicit security controls
better-sqlite3 is a native Node.js module that reads/writes binary database files. If the module or its build artifacts are compromised, the entire database including stored secrets could be exposed.
assets/template/package.json:12 Pin to exact version and consider adding integrity verification for native dependencies.
声明能力 vs 实际能力
文件系统 通过
声明 WRITE
→ 推断 WRITE
SKILL.md stamps assets/template/ to customer folder 命令执行 通过
声明 WRITE
→ 推断 WRITE
scripts/stamp_template.sh uses tar/bash 网络访问 通过
声明 READ
→ 推断 READ
Solana RPC URL for payment verification 数据库 通过
声明 WRITE
→ 推断 WRITE
better-sqlite3 stores deposit wallets and balances 技能调用 通过
声明 NONE
→ 推断 NONE
Skill generates project; doesn't execute template credential_theft 阻止
声明 NONE
→ 推断 WRITE
deposit_secret_b58 stored in SQLite without encryption 可疑产物与外联
中危 外部 URL
http://127.0.0.1:3033 assets/template/README-FAST.md:4
中危 外部 URL
http://127.0.0.1:3033/health assets/template/README.md:19
中危 外部 URL
https://opencollective.com/fastify assets/template/package-lock.json:111
中危 外部 URL
https://paulmillr.com/funding/ assets/template/package-lock.json:275
中危 外部 URL
https://www.patreon.com/feross assets/template/package-lock.json:758
中危 外部 URL
https://feross.org/support assets/template/package-lock.json:762
中危 外部 URL
https://opencollective.com/express assets/template/package-lock.json:987
中危 外部 URL
https://dotenvx.com assets/template/package-lock.json:1079
中危 钱包地址
3j5fMGzUMCxWBJ3dV3a7Wz8y2f assets/template/package-lock.json:1141
中危 外部 URL
https://paypal.me/kozjak assets/template/package-lock.json:1768
依赖与供应链
| 包名 | 版本 | 来源 | 漏洞 | 备注 |
|---|---|---|---|---|
| @pump-fun/agent-payments-sdk | 3.0.0 | npm | 否 | Major version only; supply chain risk for SDK |
| @solana/web3.js | ^1.98.0 | npm | 否 | Pinned to major version |
| better-sqlite3 | ^12.6.2 | npm | 否 | Native module; database contains plaintext private keys |
| fastify | ^5.8.2 | npm | 否 | Pinned to major version |
| grammy | ^1.41.1 | npm | 否 | Pinned to major version |
| zod | ^4.3.6 | npm | 否 | Pinned to major version |
文件构成
11 个文件 · 3298 行
JSON 2 个文件 · 2239 行JavaScript 4 个文件 · 858 行Markdown 4 个文件 · 160 行Shell 1 个文件 · 41 行
需关注文件 · 6
references/PUMP_TOKENIZED_AGENTS.md assets/template/package-lock.json https://opencollective.com/fastify · https://paulmillr.com/funding/ · https://www.patreon.com/feross · https://feross.org/support · https://opencollective.com/express · https://dotenvx.com · 3j5fMGzUMCxWBJ3dV3a7Wz8y2f · https://paypal.me/kozjak
assets/template/src/server.js Deposit wallet private keys stored in plaintext SQLite · Unused treasury keypair created from environment secret · Transaction signing not declared in SKILL.md
assets/template/README-FAST.md http://127.0.0.1:3033
assets/template/README.md http://127.0.0.1:3033/health
assets/template/package.json Native module dependency without explicit security controls
其他文件 · server.cjs · telegram-bot.cjs · standalone-telegram.cjs · SKILL.md · stamp_template.sh
安全亮点
Server binds exclusively to 127.0.0.1, preventing remote access
All endpoints except /health require API token authentication
No credential exfiltration or C2 communication detected
No obfuscation, base64 execution, or suspicious download patterns
Rate limiting registered on Fastify (60 req/min)
Input validation using Zod schemas on all endpoints
No remote script execution (curl|bash, wget|sh)
stamp_template.sh uses safe tar copy with no arbitrary command injection
Skill generates templates without executing them, limiting direct attack surface