time_bomb
Suspicious deferred execution
Line 2539Snippets
setInterval(async () => {setInterval(async () => {web3_wallet
Crypto wallet access or manipulation
Crypto wallet access or manipulation
Line 286Snippets
- ALWAYS submit via Helius Sender endpoints — never raw `sendTransaction` to standard RPC| **sendTransaction** | 1/s | 5/s | 50/s | 100/s |- **1 credit**: Standard RPC calls, sendTransaction, Priority Fee API, webhook eventsALWAYS use Helius Sender for transaction submission instead of the standard `sendTransaction` to a regular RPC endpoint. Sender dual-routes transactions to both Solana validators and Jito simultaneously, maximizing block inclusion probability with ultra-low latency.- For simpler use cases where you do not need manual control, the Helius TypeScript SDK provides `sendSmartTransaction` which handles priority fees, compute units, and retries automatically — but it does NOT use Sender endpoints. For maximum performance, use Sender via the SDK's `sendTransactionWithSender` method, or directly as described below.data_exfiltration
Data exfiltration attempt
Data exfiltration attempt
Line 1429Snippets
- **Parse transactions**: `POST /v0/transactions/?api-key=KEY` — parse known signatures- **Parse a specific tx**: use `parseTransactions` MCP tool, or `POST /v0/transactions/?api-key=KEY` with `{ transactions: [sig] }`base64_obfuscation
Potentially obfuscated content (base64)
Potentially obfuscated content (base64)
Line 296Snippets
- Use `Uint8Array` and `btoa`/`atob` for binary and base64 encoding in the browser — avoid Node.js `Buffer`- Use `Uint8Array` and `btoa`/`atob` for binary and base64 encoding in the browser — avoid Node.js `Buffer` const txBytes = Uint8Array.from(atob(serializedTransaction), (c) => c.charCodeAt(0)); const base64Tx = btoa(String.fromCharCode(...new Uint8Array(signedTx))); const base64Tx = btoa(String.fromCharCode(...new Uint8Array(signedTx)));network_call
Outbound network call
Outbound network call
Line 279Snippets
- **NEVER expose Helius API keys in client-side code** — no `NEXT_PUBLIC_HELIUS_API_KEY`, no API key in browser `fetch()` URLs, no API key in WebSocket URLs visible in network tab- **API key in `NEXT_PUBLIC_` env var or browser `fetch` URL** — the key is embedded in the client bundle or visible in the network tab. Proxy through a backend. const response = await fetch(url, { const response = await fetch(url);const response = await fetch('/api/helius/rpc', {websocket
WebSocket connection
WebSocket connection
Line 1036Snippets
const ws = new WebSocket(`wss://mainnet.helius-rpc.com/?api-key=${process.env.HELIUS_API_KEY}`);const ws = new WebSocket('wss://mainnet.helius-rpc.com/?api-key=YOUR_API_KEY'); const ws = new WebSocket(`wss://mainnet.helius-rpc.com/?api-key=${process.env.HELIUS_API_KEY}`);const ws = new WebSocket('wss://mainnet.helius-rpc.com/?api-key=YOUR_API_KEY');env_access
Environment variable access
Environment variable access
Line 807Snippets
const HELIUS_API_KEY = process.env.HELIUS_API_KEY!;const HELIUS_API_KEY = process.env.HELIUS_API_KEY!; const ws = new WebSocket(`wss://mainnet.helius-rpc.com/?api-key=${process.env.HELIUS_API_KEY}`);const HELIUS_API_KEY = process.env.HELIUS_API_KEY!;const HELIUS_API_KEY = process.env.HELIUS_API_KEY!;Trust Score
Updated há 2 semanas
Analisado
31 de mar. de 2026, 15:56
+ 2 previous scans
Compatível com
Skill details
Updated há 2 semanas
Analisado 31 de mar. de 2026, 15:56
Descricao
Skill helius-phantom
Scans recentes
31 de mar. de 2026, 15:56
Latest analysis
31 de mar. de 2026, 15:11
Run 2
27 de mar. de 2026, 15:43
Run 1