registry  /  @circuit-llm/wallet  /  0.2.4

@circuit-llm/wallet@0.2.4

Circuit SDK wallet — SOL/CIRC balances, transfers, and Jupiter swaps. Implements @circuit-llm/x402's PaymentWallet.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No install-time attack behavior is present. Runtime wallet calls can sign and broadcast transactions; swap responses and the public `signAndSendTransaction()` API accept opaque serialized transactions without local instruction validation.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
A consumer calls `makeWallet()` with a local keypair or `CIRCUIT_WALLET`, then calls `swap()` or `signAndSendTransaction()`.
Impact
A compromised or malicious transaction supplier could obtain a valid signature for an unintended on-chain transfer.
Mechanism
Blind signing and broadcast of externally supplied Solana transactions.
Rationale
Static inspection does not establish malicious intent or secret exfiltration, so a block is not supported. The blind-signing design is a concrete high-impact runtime risk and warrants a warning.
Evidence
package.jsondist/index.jsREADME.mddist/index.d.ts
Network endpoints4
lite-api.jup.ag/swap/v1api.jup.ag/swap/v1api.mainnet-beta.solana.comrpc.ankr.com/solana

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Critical Vulnerability with medium false-positive risk.
Evidence for warning
  • `dist/index.js` loads `CIRCUIT_WALLET` when `makeWallet()` is called.
  • `dist/index.js` signs and broadcasts opaque base64 transactions in `signAndSendTransaction()`.
  • `dist/index.js` signs Jupiter-provided serialized swap transactions without local instruction validation.
  • `dist/index.js` implements SOL/CIRC transfers and agent trade execution.
Evidence against
  • `package.json` has no preinstall/install/postinstall lifecycle hooks.
  • No child-process, eval, filesystem-write, persistence, or AI-agent-control mutation appears in inspected files.
  • Network use is limited to Solana RPCs and configured Jupiter swap endpoints during wallet operations.
  • Secret-key material is used locally for signing; inspected code contains no credential-exfiltration path.
Behavioral surface
Source
CryptoEnvironmentVarsNetwork
Supply chain
UrlStrings
ManifestNo manifest risk signals triggered.
scanned 1 file(s), 14.3 KB of source, external domains: api.jup.ag, api.mainnet-beta.solana.com, lite-api.jup.ag, rpc.ankr.com

Source & flagged code

2 flagged · loading source
dist/index.jsView file
4function keypairFromSecret(input) { L5: if (input instanceof Uint8Array) return Keypair.fromSecretKey(input); L6: if (Array.isArray(input)) return Keypair.fromSecretKey(Uint8Array.from(input)); L7: const s = String(input).trim(); L8: if (s.startsWith("[")) return Keypair.fromSecretKey(Uint8Array.from(JSON.parse(s))); L9: return Keypair.fromSecretKey(bs58.decode(s)); L10: } L11: function loadKeypairFromEnv(env = process.env) { L12: const v = env.CIRCUIT_WALLET; ... L88: if (!usesDefaultPublicRpc(opts)) return; L89: if (process.env.CIRCUIT_SUPPRESS_RPC_WARNING === "1") return; L90: warned = true;
Critical
Wallet Drain

Source uses private key material to transfer cryptocurrency funds.

dist/index.jsView on unpkg · L4
4Trigger-reachable chain: manifest.main -> dist/index.js L4: function keypairFromSecret(input) { L5: if (input instanceof Uint8Array) return Keypair.fromSecretKey(input); L6: if (Array.isArray(input)) return Keypair.fromSecretKey(Uint8Array.from(input)); L7: const s = String(input).trim(); L8: if (s.startsWith("[")) return Keypair.fromSecretKey(Uint8Array.from(JSON.parse(s))); L9: return Keypair.fromSecretKey(bs58.decode(s)); L10: } L11: function loadKeypairFromEnv(env = process.env) { L12: const v = env.CIRCUIT_WALLET; ... L88: if (!usesDefaultPublicRpc(opts)) return; L89: if (process.env.CIRCUIT_SUPPRESS_RPC_WARNING === "1") return; L90: warned = true;
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/index.jsView on unpkg · L4

Findings

2 Critical2 Medium2 Low
CriticalWallet Draindist/index.js
CriticalTrigger Reachable Dangerous Capabilitydist/index.js
MediumNetwork
MediumEnvironment Vars
LowScripts Present
LowUrl Strings