Neuro AI
Executive Summary
Nuero (nuero.chat) is an AI-powered agent on Solana that enables shopping, travel booking, token swaps, and payments — all using USDC. The platform launched in late March 2026 with a pump.fun token ($NUERO) and has grown to 797 holders and 1,214 registered users within its first week.
The external review found no malicious code, drainer scripts, or hidden wallet interactions across both public and authenticated pages. The frontend communicates only with legitimate services (Privy for authentication, Supabase for backend, WalletConnect for wallet discovery, Google Fonts for typography). Authentication is handled through Privy's industry-standard email OTP system with embedded wallet creation — a secure, well-established approach. The product is functional: the AI chat interface works, settings collect shipping information for e-commerce orders, and deposit/withdraw/trade interfaces are accessible.
The two scored findings are missing security headers (Content-Security-Policy and X-Frame-Options), which leave the site vulnerable to XSS injection and clickjacking attacks. These are configuration-level fixes that can be addressed in minutes via Next.js config or Cloudflare dashboard. On the token side, mint and freeze authorities are permanently revoked, and the deployer has no rug history (single launch). However, significant bundle activity was detected at launch (46+ wallets buying in coordinated same-slot transactions), and the deployer is actively extracting pump.fun fees and converting them to USDC. The team behind Nuero is anonymous — no doxxed founders or verifiable team information is available. These token-level observations are provided as context for traders but do not affect the security score, which reflects product safety only.
Rug Risk Assessment
Audit Scope
| Scope Item | Status | Notes |
|---|---|---|
| Frontend security (public pages) | complete | 6 pages tested via Playwright — homepage, chat login, demos, token page, support, about. All pages screenshotted and analyzed. |
| Frontend security (authenticated) | complete | Logged in via Privy OTP (solmelting@gmail.com). Tested chat interface, dashboard, settings, portfolio. Captured network requests — 0 suspicious. |
| Security headers | complete | HTTP response headers analyzed via curl. HSTS, X-Content-Type-Options, Referrer-Policy present. CSP and X-Frame-Options missing. |
| Network request analysis | complete | 283 requests (public) + 176 requests (authenticated) intercepted. External domains: Google Fonts, WalletConnect, Privy, Supabase. 0 suspicious requests. |
| Drainer/phishing detection | complete | No drainer scripts, setApprovalForAll patterns, clipboard hijacking, or data exfiltration detected in public or authenticated states. |
| Twitter/social analysis | complete | Operator-assisted. @useNuero verified account, joined March 2026, 621 followers, 47 posts. Engagement mixed — some organic, some low-quality bot replies. |
| Domain analysis | complete | nuero.chat resolves to 185.158.133.1. Cloudflare CDN. .chat TLD WHOIS limited — registrar data not publicly exposed. |
| On-chain authority checks | complete | Mint and freeze authority both revoked. Token2022 program. Supply: 998,452,882.55 NUERO. |
| Holder analysis | complete | Full paginated analysis via Helius getTokenAccounts — 797 holders across 1 page. Top 10 concentration: 31.81%. |
| Deployer analysis | complete | Deployer 4TQoKzwi... identified via first transaction. 1 token launch only (this one). Currently collecting pump.fun fees and converting to USDC via Jupiter swaps. |
| Bundle detection | complete | First 50 transactions analyzed. 46+ unique buyers in 10 slots. Coordinated same-slot buying detected across multiple slots. |
Findings (5)
| ID | Severity | Title |
|---|---|---|
| TG-001 | medium | Missing Content-Security-Policy header |
| TG-002 | medium | Missing X-Frame-Options header |
| TG-003 | info | Clean external dependency chain |
| TG-004 | info | Privy authentication — industry standard |
| TG-005 | info | No drainer or phishing behavior detected |
The website does not set a Content-Security-Policy (CSP) HTTP response header. CSP is a critical defense against cross-site scripting (XSS) attacks. Without it, if an attacker finds any injection point, they can load and execute arbitrary JavaScript from any domain. For a site that handles financial transactions (deposits, withdrawals, token swaps) and collects PII (shipping addresses, phone numbers), this is a meaningful gap. Cloudflare and Next.js both support CSP configuration.
HTTP response headers — nuero.chat
# Current headers (missing CSP): strict-transport-security: max-age=31536000; includeSubDomains referrer-policy: strict-origin-when-cross-origin x-content-type-options: nosniff # Missing: content-security-policy # Missing: x-frame-options
Add a Content-Security-Policy header via next.config.js headers() or Cloudflare dashboard. Recommended starting policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://auth.privy.io; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com; connect-src 'self' https://auth.privy.io https://*.supabase.co https://explorer-api.walletconnect.com; frame-src https://auth.privy.io;
The website does not set an X-Frame-Options HTTP response header. This allows the site to be embedded in iframes on any domain, enabling clickjacking attacks. An attacker could overlay Nuero's deposit or swap interfaces with invisible elements on a malicious site, tricking users into initiating transactions they didn't intend.
HTTP response headers — nuero.chat
Add X-Frame-Options: DENY (or SAMEORIGIN if iframing is needed internally) via next.config.js headers() or Cloudflare dashboard. Also add frame-ancestors 'none' to the CSP header for defense in depth.
All external domains contacted by the site are legitimate and expected: Google Fonts (typography), WalletConnect Explorer API (wallet connection), Privy (authentication), Supabase (backend database). No unexpected third-party scripts, analytics trackers, or ad networks were detected in either public or authenticated states.
Authentication is handled via Privy (privy.io), a well-established Web3 auth provider. Login uses email OTP via an isolated iframe (auth.privy.io). Embedded wallets are created by Privy — user keys are managed by Privy's infrastructure, not by Nuero's servers directly. This is a secure, standard approach.
https://auth.privy.io/apps/cmn6quyoh00vk0cjl9qmapy16
Comprehensive testing of both public and authenticated pages found zero indicators of malicious wallet interaction. No setApprovalForAll calls, no hidden transaction signing, no clipboard hijacking, no data exfiltration to unknown domains. The mock wallet injection test and authenticated session test both returned clean results. 0 suspicious network requests across 459 total intercepted requests.
reports/playwright-results.json, reports/playwright-auth-results.json
This audit was performed by Opcode using AI-assisted review with human oversight. No audit can guarantee the complete absence of vulnerabilities. This report is not financial or legal advice.
© 2026 Opcode — opcode.run