AI Security Review
scanned 2h ago · by lpm-firewall-aiNo install-time attack behavior is present. Runtime wallet calls can sign and broadcast transactions; swap responses and the public `signAndSendTransaction()` API accept opaque serialized transactions without local instruction validation.
Static reason
High-risk behavior combination matched malicious policy.
Trigger
A consumer calls `makeWallet()` with a local keypair or `CIRCUIT_WALLET`, then calls `swap()` or `signAndSendTransaction()`.
Impact
A compromised or malicious transaction supplier could obtain a valid signature for an unintended on-chain transfer.
Mechanism
Blind signing and broadcast of externally supplied Solana transactions.
Rationale
Static inspection does not establish malicious intent or secret exfiltration, so a block is not supported. The blind-signing design is a concrete high-impact runtime risk and warrants a warning.
Evidence
package.jsondist/index.jsREADME.mddist/index.d.ts
Network endpoints4
lite-api.jup.ag/swap/v1api.jup.ag/swap/v1api.mainnet-beta.solana.comrpc.ankr.com/solana
Decision evidence
public snapshotAI called this Suspicious at 88.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
- `dist/index.js` loads `CIRCUIT_WALLET` when `makeWallet()` is called.
- `dist/index.js` signs and broadcasts opaque base64 transactions in `signAndSendTransaction()`.
- `dist/index.js` signs Jupiter-provided serialized swap transactions without local instruction validation.
- `dist/index.js` implements SOL/CIRC transfers and agent trade execution.
Evidence against
- `package.json` has no preinstall/install/postinstall lifecycle hooks.
- No child-process, eval, filesystem-write, persistence, or AI-agent-control mutation appears in inspected files.
- Network use is limited to Solana RPCs and configured Jupiter swap endpoints during wallet operations.
- Secret-key material is used locally for signing; inspected code contains no credential-exfiltration path.
Behavioral surface
CryptoEnvironmentVarsNetwork
UrlStrings
Source & flagged code
2 flagged · loading sourcedist/index.jsView file
4function keypairFromSecret(input) {
L5: if (input instanceof Uint8Array) return Keypair.fromSecretKey(input);
L6: if (Array.isArray(input)) return Keypair.fromSecretKey(Uint8Array.from(input));
L7: const s = String(input).trim();
L8: if (s.startsWith("[")) return Keypair.fromSecretKey(Uint8Array.from(JSON.parse(s)));
L9: return Keypair.fromSecretKey(bs58.decode(s));
L10: }
L11: function loadKeypairFromEnv(env = process.env) {
L12: const v = env.CIRCUIT_WALLET;
...
L88: if (!usesDefaultPublicRpc(opts)) return;
L89: if (process.env.CIRCUIT_SUPPRESS_RPC_WARNING === "1") return;
L90: warned = true;
Critical
Wallet Drain
Source uses private key material to transfer cryptocurrency funds.
dist/index.jsView on unpkg · L44Trigger-reachable chain: manifest.main -> dist/index.js
L4: function keypairFromSecret(input) {
L5: if (input instanceof Uint8Array) return Keypair.fromSecretKey(input);
L6: if (Array.isArray(input)) return Keypair.fromSecretKey(Uint8Array.from(input));
L7: const s = String(input).trim();
L8: if (s.startsWith("[")) return Keypair.fromSecretKey(Uint8Array.from(JSON.parse(s)));
L9: return Keypair.fromSecretKey(bs58.decode(s));
L10: }
L11: function loadKeypairFromEnv(env = process.env) {
L12: const v = env.CIRCUIT_WALLET;
...
L88: if (!usesDefaultPublicRpc(opts)) return;
L89: if (process.env.CIRCUIT_SUPPRESS_RPC_WARNING === "1") return;
L90: warned = true;
Critical
Trigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
dist/index.jsView on unpkg · L4Findings
2 Critical2 Medium2 Low
CriticalWallet Draindist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings