safe-flow-solana-skill Security Report — Suspicious | ClawSafe

42 /100

safe-flow-solana-skill

Payment skill for AI agents on Solana with on-chain rate limiting

SafeFlow Solana skill has undeclared shell execution and missing referenced files, with a doc-to-code mismatch that obscures actual implementation complexity.

Skill Namesafe-flow-solana-skill

Duration42.5s

Enginepi

⚠

Use with caution

Add complete dependency documentation (npx, ts-node, Node.js packages), verify the sdk/src/agent and target/idl/safeflow_solana.json paths exist, and declare all shell commands and network endpoints in SKILL.md.

Findings 5 items

Severity	Finding	Location
High	Undocumented shell command execution Doc Mismatch SKILL.md declares no shell:WRITE but scripts execute solana-keygen (bootstrap.sh:40) and npx ts-node (execute_payment.sh:36). This is significant shell access not disclosed to users. `solana-keygen new --no-bip39-passphrase -o "$KEYPAIR_FILE" --force` → Document all shell commands in SKILL.md under ## Required Tools or ## Declared Capabilities	`scripts/bootstrap.sh:40`
High	Missing referenced implementation files Doc Mismatch execute_payment.sh lines 39 and 41 reference target/idl/safeflow_solana.json and ./sdk/src/agent. Neither file exists in the package. This means the script cannot function as written. `const idl = JSON.parse(fs.readFileSync('target/idl/safeflow_solana.json', 'utf8'));` → Either include these files in the skill package or update SKILL.md to explain these are external dependencies that must be provided separately	`scripts/execute_payment.sh:39`
High	Undeclared Node.js runtime dependency Doc Mismatch save_config.sh and execute_payment.sh require Node.js with packages @solana/web3.js and @coral-xyz/anchor. SKILL.md declares no dependencies, no runtime requirements, and no package manager (npm/pnpm). `node -e "const fs = require('fs');"` → Add a ## Dependencies section to SKILL.md listing Node.js version, npm packages, and any external CLI tools	`scripts/save_config.sh:24`
Medium	Undeclared network endpoints Doc Mismatch SKILL.md does not mention network:READ capability or the Solana API endpoints (api.devnet.solana.com, api.mainnet-beta.solana.com) that execute_payment.sh connects to. `? 'https://api.devnet.solana.com'` → Add ## Network Access section to SKILL.md listing all external API endpoints	`scripts/execute_payment.sh:44`
Low	Unpinned npx/ts-node execution Supply Chain execute_payment.sh uses 'npx ts-node' without version pinning, which could execute different versions over time. The SKILL.md also does not declare this tool requirement. `npx ts-node -e "` → Pin ts-node version in package.json and document the requirement in SKILL.md	`scripts/execute_payment.sh:36`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`WRITE`	✓ Aligned	bootstrap.sh:35 writes .safeflow/config.json
Shell	`NONE`	`WRITE`	✓ Aligned	bootstrap.sh:40 executes solana-keygen; execute_payment.sh:36 executes npx ts-no…
Network	`NONE`	`READ`	✓ Aligned	execute_payment.sh:44-46 connects to api.devnet.solana.com
Environment	`NONE`	`NONE`	—	No environment variable access detected

2 findings

🔗

Medium External URL 外部 URL

https://api.devnet.solana.com

scripts/execute_payment.sh:44

🔗

Medium External URL 外部 URL

https://api.mainnet-beta.solana.com

scripts/execute_payment.sh:46

File Tree

4 files · 7.9 KB · 264 lines

Shell 3f · 193L Markdown 1f · 71L

├─ ▾ 📁 scripts

│ ├─ 🔧 bootstrap.sh Shell 64L · 1.7 KB

│ ├─ 🔧 execute_payment.sh Shell 91L · 3.1 KB

│ └─ 🔧 save_config.sh Shell 38L · 1.0 KB

└─ 📝 SKILL.md Markdown 71L · 2.1 KB

Dependencies 5 items

Package	Version	Source	Known Vulns	Notes
`npx`	`*`	npm	No	Not pinned, not declared in SKILL.md
`ts-node`	`*`	npm	No	Not pinned, not declared in SKILL.md
`@solana/web3.js`	`*`	npm	No	Not declared in SKILL.md, loaded at runtime
`@coral-xyz/anchor`	`*`	npm	No	Not declared in SKILL.md, loaded at runtime
`solana-keygen`	`*`	cli	No	External Solana CLI tool, not declared in SKILL.md

Security Positives

✓ No credential harvesting or sensitive data exfiltration detected

✓ No base64-encoded obfuscation or anti-analysis techniques found

✓ No reverse shell, C2, or reverse connection behavior

✓ No hidden instructions in comments or documentation

✓ No attempts to access ~/.ssh, ~/.aws, or .env files

✓ Payment logic appears to be legitimate Solana on-chain rate limiting

✓ No evidence of persistence mechanisms (cron, startup hooks, backdoors)

Scan Report

Findings 5 items

File Tree

Dependencies 5 items

Security Positives