Neuro AI
Nuero is safe to use. No malicious code, no drainers, no hidden wallet interactions. Your keys and funds stay under your control.
Deductions
Without CSP, any XSS injection can load arbitrary scripts — critical for a site handling financial transactions and collecting shipping addresses/phone numbers.
Clickjacking risk on financial interfaces — an attacker could trick users into initiating deposits or swaps via invisible overlays.
Not Scored (Token Metrics)
Mint authority (revoked)
Token metric — not product security
Freeze authority (revoked)
Token metric — not product security
Bundle activity (detected)
Token market dynamics — not product security
Holder concentration (32%)
Token distribution — not product security
Deployer fee extraction
Token economics — not product security
Anonymous team
Social/marketing legitimacy — not product security
100 - 8 (missing CSP) - 8 (missing X-Frame-Options) = 84
Is this a rug?
Mint Authority
No one can create new tokens — mint authority is permanently revoked
Freeze Authority
No one can freeze your wallet — freeze authority is permanently revoked
Upgrade Authority
Pump.fun token — no on-chain program to upgrade
LP Status
Trading on pump.fun bonding curve — standard for this token type
Deployer History
First and only token launch — no previous rugs or abandoned projects
Bundle Activity
46+ wallets bought in coordinated bursts at launch — common for hyped launches but worth noting
What we found
Findings at a glance
0 critical, 0 high, 2 medium — both are missing security headers that are easy to fix and don't put your funds at risk.
Nuero (nuero.chat) is an AI-powered agent on Solana that enables shopping, travel booking, token swaps, and payments — all using USDC. The platform launched in late March 2026 with a pump.fun token ($NUERO) and has grown to 797 holders and 1,214 registered users within its first week.
The external review found no malicious code, drainer scripts, or hidden wallet interactions across both public and authenticated pages. The frontend communicates only with legitimate services (Privy for authentication, Supabase for backend, WalletConnect for wallet discovery, Google Fonts for typography). Authentication is handled through Privy's industry-standard email OTP system with embedded wallet creation — a secure, well-established approach. The product is functional: the AI chat interface works, settings collect shipping information for e-commerce orders, and deposit/withdraw/trade interfaces are accessible.
The two scored findings are missing security headers (Content-Security-Policy and X-Frame-Options), which leave the site vulnerable to XSS injection and clickjacking attacks. These are configuration-level fixes that can be addressed in minutes via Next.js config or Cloudflare dashboard. On the token side, mint and freeze authorities are permanently revoked, and the deployer has no rug history (single launch). However, significant bundle activity was detected at launch (46+ wallets buying in coordinated same-slot transactions), and the deployer is actively extracting pump.fun fees and converting them to USDC. The team behind Nuero is anonymous — no doxxed founders or verifiable team information is available. These token-level observations are provided as context for traders but do not affect the security score, which reflects product safety only.
| Scope Item | Status | Notes |
|---|---|---|
| Frontend security (public pages) | complete | 6 pages tested via Playwright — homepage, chat login, demos, token page, support, about. All pages screenshotted and analyzed. |
| Frontend security (authenticated) | complete | Logged in via Privy OTP (solmelting@gmail.com). Tested chat interface, dashboard, settings, portfolio. Captured network requests — 0 suspicious. |
| Security headers | complete | HTTP response headers analyzed via curl. HSTS, X-Content-Type-Options, Referrer-Policy present. CSP and X-Frame-Options missing. |
| Network request analysis | complete | 283 requests (public) + 176 requests (authenticated) intercepted. External domains: Google Fonts, WalletConnect, Privy, Supabase. 0 suspicious requests. |
| Drainer/phishing detection | complete | No drainer scripts, setApprovalForAll patterns, clipboard hijacking, or data exfiltration detected in public or authenticated states. |
| Twitter/social analysis | complete | Operator-assisted. @useNuero verified account, joined March 2026, 621 followers, 47 posts. Engagement mixed — some organic, some low-quality bot replies. |
| Domain analysis | complete | nuero.chat resolves to 185.158.133.1. Cloudflare CDN. .chat TLD WHOIS limited — registrar data not publicly exposed. |
| On-chain authority checks | complete | Mint and freeze authority both revoked. Token2022 program. Supply: 998,452,882.55 NUERO. |
| Holder analysis | complete | Full paginated analysis via Helius getTokenAccounts — 797 holders across 1 page. Top 10 concentration: 31.81%. |
| Deployer analysis | complete | Deployer 4TQoKzwi... identified via first transaction. 1 token launch only (this one). Currently collecting pump.fun fees and converting to USDC via Jupiter swaps. |
| Bundle detection | complete | First 50 transactions analyzed. 46+ unique buyers in 10 slots. Coordinated same-slot buying detected across multiple slots. |
Methodology
This audit was performed using TrenchGuard's AI-assisted review process with human oversight.
Token trades on pump.fun bonding curve. Standard automated market maker for pump.fun launches.
797 total holders. Top wallet holds 10.07% (ApakgD368htq...), top 5 hold 23.98%, top 10 hold 31.81%. Deployer wallet (4TQo...) holds 0 tokens. No single wallet exceeds common concentration thresholds outside top 2.
46+ unique wallets bought in coordinated same-slot transactions within the first 10 blocks after token creation. Slot 409921027 had 9 buys, slot 409921025 had 6 buys, slot 409921022 had 5 buys. Each wallet used a different fee payer — consistent with sniper bot activity rather than a single-actor bundle. Deployer bought 100M tokens (10% supply) in the creation transaction.
| ID | Severity | Title |
|---|---|---|
| TG-001 | medium | Missing Content-Security-Policy header |
| TG-002 | medium | Missing X-Frame-Options header |
| TG-003 | info | Clean external dependency chain |
| TG-004 | info | Privy authentication — industry standard |
| TG-005 | info | No drainer or phishing behavior detected |
Missing Content-Security-Policy header
Description
The website does not set a Content-Security-Policy (CSP) HTTP response header. CSP is a critical defense against cross-site scripting (XSS) attacks. Without it, if an attacker finds any injection point, they can load and execute arbitrary JavaScript from any domain. For a site that handles financial transactions (deposits, withdrawals, token swaps) and collects PII (shipping addresses, phone numbers), this is a meaningful gap. Cloudflare and Next.js both support CSP configuration.
Location
HTTP response headers — nuero.chat# Current headers (missing CSP):
strict-transport-security: max-age=31536000; includeSubDomains
referrer-policy: strict-origin-when-cross-origin
x-content-type-options: nosniff
# Missing: content-security-policy
# Missing: x-frame-options
Remediation
Add a Content-Security-Policy header via next.config.js headers() or Cloudflare dashboard. Recommended starting policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://auth.privy.io; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://auth.privy.io https://*.supabase.co https://explorer-api.walletconnect.com; frame-src https://auth.privy.io;
Missing X-Frame-Options header
Description
The website does not set an X-Frame-Options HTTP response header. This allows the site to be embedded in iframes on any domain, enabling clickjacking attacks. An attacker could overlay Nuero's deposit or swap interfaces with invisible elements on a malicious site, tricking users into initiating transactions they didn't intend.
Location
HTTP response headers — nuero.chatRemediation
Add X-Frame-Options: DENY (or SAMEORIGIN if iframing is needed internally) via next.config.js headers() or Cloudflare dashboard. Also add frame-ancestors 'none' to the CSP header for defense in depth.
Clean external dependency chain
All external domains contacted by the site are legitimate and expected: Google Fonts (typography), WalletConnect Explorer API (wallet connection), Privy (authentication), Supabase (backend database). No unexpected third-party scripts, analytics trackers, or ad networks were detected in either public or authenticated states.
Privy authentication — industry standard
Authentication is handled via Privy (privy.io), a well-established Web3 auth provider. Login uses email OTP via an isolated iframe (auth.privy.io). Embedded wallets are created by Privy — user keys are managed by Privy's infrastructure, not by Nuero's servers directly. This is a secure, standard approach.
No drainer or phishing behavior detected
Comprehensive testing of both public and authenticated pages found zero indicators of malicious wallet interaction. No setApprovalForAll calls, no hidden transaction signing, no clipboard hijacking, no data exfiltration to unknown domains. The mock wallet injection test and authenticated session test both returned clean results. 0 suspicious network requests across 459 total intercepted requests.
Opcode scores reflect product and code security only. Token market metrics (holder distribution, bundle activity, LP status, deployer history) are shown as informational context but do not impact the score.
This ensures that a well-built product with a messy token launch is scored fairly on its engineering merits, and a poorly-built product with a perfect token distribution is scored on its actual security gaps.
Standard Deductions
Fixed findings: 0. Partially fixed: half deduction. Info findings document positive confirmations.
Methodology
This audit was performed using TrenchGuard's AI-assisted review process with human oversight.
Disclaimer
This audit was performed by Opcode using AI-assisted review with human oversight. While we strive for thoroughness, no audit can guarantee the complete absence of vulnerabilities. This report is not financial or legal advice. Users should perform their own due diligence. © 2026Opcode — opcode.run