Is maddefientist/slopesniper safe?

The skill requires SOLANA_PRIVATE_KEY — a cryptographic private key granting complete and irreversible control over a Solana blockchain wallet — to be stored in the agent's configuration and passed to an external Python MCP server (slopesniper-mcp) installed from github.com/maddefientist/SlopeSniper. This package was not evaluated in this audit. Any malicious or vulnerable code in that package can read the key from the environment, sign unauthorized transactions, and drain the wallet with no recovery path. Cryptocurrency private keys are not rotatable after compromise.

The install step fetches and installs a Python package directly from github.com/maddefientist/SlopeSniper via uv. This repository is controlled by a third party (maddefientist) and its contents were not analyzed in this audit. The package could contain malicious install hooks (setup.py scripts, pyproject build steps) that execute during installation, or runtime code in the two installed binaries (slopesniper-mcp, slopesniper-api) that exfiltrates credentials, manipulates trade routing, or establishes persistence on the host.

All four trading strategies include auto-execution thresholds where on-chain trades are executed without asking the user for confirmation. Degen mode has no safety checks for any trade and auto-executes up to $100 per trade, with a $1000 maximum requiring only a single confirmation. An attacker who can issue natural language commands to the agent — via prompt injection in another skill, a malicious document, or environmental content — can trigger real, irreversible blockchain transactions. Blockchain transactions cannot be reversed after confirmation.

Six canary credential files were read-accessed at audit timestamp 1771925402 — after skill installation completed at ~1771925397. An identical set of reads occurred at 1771925385 (pre-clone) that is attributable to the audit harness creating canary files. The post-install reads at 1771925402 have ambiguous process attribution from available evidence. While the canary integrity mechanism reports no exfiltration, the reads themselves indicate something scanned these credential locations after the skill was installed.

The skill presents 'Degen' as a normal trading strategy alongside Conservative and Balanced options with no indication that it eliminates all safety checks. This framing normalizes maximum financial exposure as a routine user choice. If an agent operating this skill encounters injected content that instructs it to 'use degen strategy' or 'set aggressive mode', the agent may silently escalate financial exposure to $1000 per trade with no safety validation and up to $100 auto-execution per trade.

The Tool Reference section documents execution patterns using 'uv run --directory {baseDir}/../mcp-extension python -c' with inline Python and dynamic parameters (token names, amounts). The {baseDir} template variable indicates the skill is path-aware in the agent context. If token names sourced from external content (e.g., a malicious DeFi site, document, or another skill's output) are passed unsanitized to these patterns, Python code injection could result in execution of arbitrary code with wallet credential access.

The installation process made only expected network connections to 140.82.121.3 (GitHub.com) for the git sparse-checkout. Pre-existing Ubuntu infrastructure connections were already established before the audit and terminated cleanly. The connection diff shows no new persistent outbound connections after installation. The install process itself was limited to standard git and filesystem operations.

The canary integrity monitoring mechanism reports all honeypot files (fake .env, SSH keys, AWS credentials, etc.) are unmodified and no data was observed leaving the system through monitored channels. File access events showed CLOSE_NOWRITE (read-only access) rather than write or modification events. The canary integrity system did not trigger.