x402agent/pump-security
.agents/skills/pump-security/SKILL.md
Defense-in-depth security across Rust, TypeScript, and Bash for the Pump SDK — cryptographic key handling, memory zeroization, secure file I/O, input validation, privilege management, dependency auditing, and a 60+ item security checklist.
$ install --global
skillsauthnpx skillsauth add x402agent/solana-clawd pump-securityInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:38 AM9.7s1 file scanned
SKILL.md
- name:
- pump-security
- description:
- Defense-in-depth security across Rust, TypeScript, and Bash for the Pump SDK — cryptographic key handling, memory zeroization, secure file I/O, input validation, privilege management, dependency auditing, and a 60+ item security checklist.
- homepage:
- https://github.com/nirholas/pump-fun-sdk
Security Practices — Cryptographic Safety, Memory Zeroization & Hardened I/O
Defense-in-depth security across Rust, TypeScript, and Bash: key handling, memory zeroization, secure file I/O, input validation, privilege management, and dependency auditing.
Memory Zeroization
Rust
use zeroize::Zeroize;
struct SecureBytes(Vec<u8>);
impl Drop for SecureBytes {
fn drop(&mut self) {
self.0.zeroize();
}
}
TypeScript
try {
// ... use secretKey
} finally {
secretKey.fill(0);
// Best-effort: GC may have copied the buffer
}
Shell
shred -u "$keypair_file" 2>/dev/null || rm -P "$keypair_file"
RNG Quality
| Language | Source | Verification |
|----------|--------|-------------|
| Rust | OsRng | Verify via solana-sdk internals |
| TypeScript | crypto.getRandomValues | Node.js built-in CSPRNG |
| Shell | solana-keygen | Delegates to Rust OsRng |
Keypair Integrity Verification
- Re-derive public key from secret key
- Compare derived key with stored public key
- Sign a test message with the keypair
- Verify the signature with the public key
- Validate Base58 encoding roundtrip
Secure File I/O
- Set permissions to
0o600before writing content (race-free on Unix) - Use
O_CREAT | O_EXCLto prevent overwrites - Write to temp file + atomic rename for crash safety
- Never write secret keys to stdout unless explicitly requested
Input Validation
| Input | Validation |
|-------|-----------|
| Base58 address | Regex: ^[1-9A-HJ-NP-Za-km-z]{32,44}$ |
| File paths | Reject .., prevent traversal |
| Tool inputs | Zod schemas in MCP server |
| Shell arguments | Quoted variables, no eval |
Security Checklist Summary (60+ items)
Key categories:
- Cryptographic library allowlist
- Memory zeroization in all code paths
- File permission enforcement
- Input validation and sanitization
- Error message information leakage prevention
- Dependency auditing (
cargo audit,npm audit) - No network calls during key generation
- Secret key never in logs, error messages, or telemetry
Attack Vectors to Test
| Vector | Defense | |--------|---------| | Weak RNG | Only CSPRNG (OsRng / crypto.getRandomValues) | | Memory dump | Zeroize on drop/finally | | File permission leak | 0o600 enforcement | | Path traversal | Input validation | | Shell injection | Quoted variables, no eval | | Dependency supply chain | cargo audit, npm audit |
Patterns to Follow
- Always use approved crypto libraries:
solana-sdk,@solana/web3.js,solana-keygen - Zeroize key material in all code paths (success, error, early return)
- Set file permissions before writing content
- Validate all inputs at the boundary (CLI args, API inputs, file paths)
- Never log or display secret keys
- Run dependency audits in CI
Common Pitfalls
- JavaScript
fill(0)is best-effort — GC may relocate buffers - Rust
Stringtypes may leave copies in memory — useVec<u8>withZeroize chmodafterwritehas a race window — preferfchmodor umask- Error messages must not include secret key material
cargo auditmay miss recently disclosed CVEs — supplement with manual review
Related Skills
x402agent/qedgen
development
VerifiedTrustedCommunity
Formally verify programs by writing Lean 4 proofs. Trigger this skill whenever the user wants to formally verify code, generate Lean 4 proofs, prove properties about algorithms or smart contracts, verify invariants, convert program logic into formal specifications, or anything involving Lean 4 and formal verification. Also trigger when the user mentions "qedgen", "lean proof", "formal proof", "verify my code", "prove correctness", "formal verification", or wants mathematical guarantees about their implementation.
15SKILL.mdUpdated Apr 19, 2026
x402agent/skills/swarm-orchestrator
data-ai
VerifiedTrustedCommunity
Orchestrate multi-bot trading swarms on Pump.fun with persona-driven agents
14SKILL.mdUpdated Apr 19, 2026
x402agent/solana-dev
tools
VerifiedTrustedCommunity
End-to-end Solana development playbook (Jan 2026). Prefer Solana Foundation framework-kit (@solana/client + @solana/react-hooks) for React/Next.js UI. Prefer @solana/kit for all new client/RPC/transaction code. When legacy dependencies require web3.js, isolate it behind @solana/web3-compat (or @solana/web3.js as a true legacy fallback). Covers wallet-standard-first connection (incl. ConnectorKit), Anchor/Pinocchio programs, Codama-based client generation, LiteSVM/Mollusk/Surfpool testing, and security checklists.
14SKILL.mdUpdated Apr 19, 2026
x402agent/skills/pumpfun-trading
tools
VerifiedTrustedCommunity
Buy and sell tokens on Pump.fun bonding curves and AMM pools
14SKILL.mdUpdated Apr 19, 2026