manolaz/amoca-sendai-agent-kit-mcp-server
highNo description
This MCP server provides a standardized interface for interacting with the Solana blockchain using the Solana Agent Kit. It exposes actions such as fe...
22const agent = new SolanaAgentKit(
23 process.env.SOLANA_PRIVATE_KEY,
24 process.env.RPC_URL,
25 {
26 OPENAI_API_KEY: process.env.OPENAI_API_KEY || "",
27 }
28);// Local-with-credentials MCP: requires compromised LLM to trigger exposure, but the key is in memory and could be leaked via prompt injection or error handling.
The Solana private key is read from an environment variable and passed directly to the SolanaAgentKit constructor in plaintext. While environment variables are a common practice, the key is stored in memory as a string and could be exposed through memory dumps, error messages, or logging. Additionally, the key is passed to a third-party library (solana-agent-kit) which may log or mishandle it.
ImpactAn attacker who gains access to the process memory, logs, or error output could retrieve the private key and gain full control over the associated Solana wallet, including transferring tokens and deploying contracts.
FixUse a secrets manager or encrypted keystore to load the private key at runtime. Avoid passing the key as a plaintext string; consider using a secure key derivation or hardware wallet integration. Ensure that error messages and logs do not include the key.
33DEPLOY_TOKEN: ACTIONS.DEPLOY_TOKEN_ACTION,// Local-with-credentials MCP: requires compromised LLM to exploit, but the action is exposed without safeguards.
The DEPLOY_TOKEN action exposes the full token deployment capability of the Solana Agent Kit. While deploying tokens is within the documented purpose, the action does not impose any restrictions on token parameters (e.g., supply, decimals, metadata). An attacker could deploy malicious tokens, spam the network, or incur significant transaction costs.
ImpactA compromised LLM could instruct the MCP to deploy tokens with arbitrary parameters, potentially draining the wallet's SOL for transaction fees, creating scam tokens, or flooding the blockchain with unwanted tokens.
FixAdd input validation and rate limiting to the DEPLOY_TOKEN action. Consider requiring explicit user confirmation for deployments or limiting the number of deployments per session. Whitelist allowed token parameters if possible.
32GET_ASSET: ACTIONS.GET_ASSET_ACTION,// Local-with-credentials MCP: requires compromised LLM to exploit, but lack of validation increases attack surface.
The GET_ASSET action likely accepts an asset identifier (e.g., mint address) without validation. While the action is intended to fetch asset details, an attacker could provide malformed or malicious inputs that might cause unexpected behavior in the underlying Solana Agent Kit or RPC calls.
ImpactA compromised LLM could supply crafted asset identifiers that trigger errors, cause excessive RPC calls (potential DoS), or exploit vulnerabilities in the Solana Agent Kit's input handling.
FixValidate that the asset identifier is a valid Solana address (base58, 32 bytes) before passing it to the action. Implement rate limiting and error handling to prevent abuse.