ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Solpaw

v0.1.1

Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator.

0· 815·0 current·0 all-time
by@lvcidpsyche
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The skill claims 'ALWAYS use Local Mode' and that 'your wallet is the onchain creator' (SKILL.md/README). However, the TypeScript implementation's launchToken() posts to /tokens/launch (server-side signing / lightning mode) rather than /tokens/launch-local. That makes the platform (not the user's wallet) the onchain creator. Requiring a SOLANA_PRIVATE_KEY in metadata/requirements while the code does not use it is inconsistent.
!
Instruction Scope
SKILL.md instructs building an unsigned transaction (/tokens/launch-local), signing locally, and submitting (/tokens/submit). The code instead calls the server 'launch' endpoint (lightning mode). The documentation and runtime instructions therefore diverge from the actual code path; this is scope/instruction mismatch that could change who controls minted tokens and how fees/ownership work.
Install Mechanism
No install spec (instruction-only) and required binary is only curl. There is a TypeScript source file included, but nothing in the package writes arbitrary archives or pulls code from unusual URLs. Install mechanism itself is low-risk.
!
Credentials
The skill declares three env vars (SOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY). SOLPAW_API_KEY and creator wallet are reasonable. Asking for SOLANA_PRIVATE_KEY (a high-value secret) is only justified if the agent will sign transactions locally; the included code does not use that key, so the requirement is disproportionate and unexplained. Storing private keys in environment variables is intrinsically sensitive — avoid unless strictly necessary and audited.
Persistence & Privilege
always:false (good). disable-model-invocation:false (default) means the agent can call the skill autonomously. That is normally acceptable, but combined with a declared requirement for a private key (even if not used by the included code) increases the blast radius: an autonomously-invoking skill with access to a private key could sign transactions without explicit approval. The skill's own policy text requires user confirmation, but that is not enforced automatically.
What to consider before installing
Do not hand over your SOLANA_PRIVATE_KEY or set it as an environment variable for this skill until the mismatches below are resolved. Specific actions to consider before installing or using this skill: - Ask the maintainer to explain and fix the discrepancy: the SKILL.md/README recommend local signing (/tokens/launch-local + /tokens/submit) but the shipped code calls /tokens/launch (server-side signing). Confirm which mode will actually be used and why. - If you want your wallet to be the on‑chain creator, insist the code use the local-signing flow (build unsigned tx, sign locally with your key, call /tokens/submit) and that SOLANA_PRIVATE_KEY is used only locally (never sent to the API). - Until that's clarified, do not put your private key in an environment variable accessible to the agent runtime. Prefer ephemeral signing (hardware wallet, remote signing service you control, or manual signing) and test on devnet/testnet first with small amounts. - Verify the platform wallet address and the project identity off-platform (check the GitHub repo, owner, and domain registration for solpaw.fun). The platform wallet is hardcoded in docs — confirm it matches the official project and not an impostor. - Require explicit user confirmation before any payment or launch action. The skill's docs state this, but it's a policy; make sure your agent enforces a human approval step before sending funds or signing transactions. - If you must use the skill, review/replace the launchToken implementation so it uses /tokens/launch-local and /tokens/submit (or otherwise ensure private keys never leave your environment), and re-run a code audit. Because of the uncertain mismatch (private-key requirement vs server-side signing), treat this skill as suspicious until the author provides a clear explanation or the code is updated to match the documented, local-signing behavior.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🐾 Clawdis
Binscurl
EnvSOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY
Primary envSOLPAW_API_KEY
latestvk9775wsv8a55ac5yeqn54p74n980x34e
815downloads
0stars
1versions
Updated 9h ago
v0.1.1
MIT-0
@lvcidpsyche
latest
Download

SolPaw — Launch Tokens on Solana via Pump.fun

When to use

Use this skill when the agent needs to:

  • Launch a new memecoin / token on Solana via Pump.fun
  • Deploy a token with a name, symbol, description, and image
  • Create a Pump.fun token listing for a community, project, or meme

Overview

SolPaw is the first Solana token-launch platform for autonomous agents. It handles IPFS metadata uploads, transaction building, and Pump.fun deployment.

  • Cost: 0.1 SOL one-time platform fee + ~0.02 SOL Pump.fun creation fee per launch
  • Creator: Your agent's wallet is the real onchain creator on Pump.fun
  • Limit: 1 launch per agent per 24 hours
  • Platform wallet: GosroTTvsbgc8FdqSdNtrmWxGbZp2ShH5NP5pK1yAR4K
  • Docs: https://solpaw.fun

Prerequisites

  1. A Solana wallet with at least 0.15 SOL (0.1 platform fee + ~0.02 Pump.fun fee + gas)
  2. A SolPaw API key (register at the API)
  3. Environment variables set:
    • SOLPAW_API_KEY — your SolPaw API key
    • SOLPAW_CREATOR_WALLET — your Solana wallet public key
    • SOLANA_PRIVATE_KEY — your wallet private key (base58 encoded, for signing)

Steps

Step 1: Register (one-time)

curl -s -X POST https://api.solpaw.fun/api/v1/agents/register \
  -H "Content-Type: application/json" \
  -d '{"agent_name":"MyAgent","default_fee_wallet":"YOUR_WALLET_ADDRESS"}' | jq .

Save the api_key from the response. It will NOT be shown again.

Step 2: Get a CSRF token

CSRF=$(curl -s -H "Authorization: Bearer $SOLPAW_API_KEY" \
  https://api.solpaw.fun/api/v1/agents/csrf | jq -r '.data.csrf_token')

Step 3: Send 0.1 SOL launch fee

Send 0.1 SOL (100,000,000 lamports) to the platform wallet: GosroTTvsbgc8FdqSdNtrmWxGbZp2ShH5NP5pK1yAR4K

Save the transaction signature.

Step 4: Upload token image (optional but recommended)

IMAGE_ID=$(curl -s -X POST https://api.solpaw.fun/api/v1/tokens/upload-image \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -F "file=@token-logo.png" | jq -r '.data.image_id')

Step 5: Launch token (Local Mode — your wallet is the creator)

# Build unsigned transaction
TX_DATA=$(curl -s -X POST https://api.solpaw.fun/api/v1/tokens/launch-local \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -d '{
    "name": "MyCoolToken",
    "symbol": "MCT",
    "description": "An awesome token launched by an AI agent on SolPaw",
    "creator_wallet": "'$SOLPAW_CREATOR_WALLET'",
    "signer_public_key": "'$SOLPAW_CREATOR_WALLET'",
    "launch_fee_signature": "YOUR_FEE_TX_SIGNATURE",
    "image_id": "'$IMAGE_ID'",
    "initial_buy_sol": 0,
    "slippage": 10,
    "priority_fee": 0.0005,
    "csrf_token": "'$CSRF'"
  }')

# Sign the transaction with your private key, then submit
SIGNED_TX="..." # sign the base64 transaction from TX_DATA
curl -s -X POST https://api.solpaw.fun/api/v1/tokens/submit \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -d '{"signed_transaction": "'$SIGNED_TX'", "mint": "MINT_FROM_TX_DATA"}'

Using the TypeScript SDK (Easier)

import SolPawSkill from './solpaw-skill';
import { Keypair } from '@solana/web3.js';

const solpaw = new SolPawSkill({
  apiEndpoint: 'https://api.solpaw.fun/api/v1',
  apiKey: process.env.SOLPAW_API_KEY,
  defaultCreatorWallet: process.env.SOLPAW_CREATOR_WALLET,
});

const keypair = Keypair.fromSecretKey(bs58.decode(process.env.SOLANA_PRIVATE_KEY));

// One-call launch: pays fee + uploads + signs + submits
const result = await solpaw.payAndLaunch({
  name: 'MyCoolToken',
  symbol: 'MCT',
  description: 'Launched by an AI agent on SolPaw',
  image_url: 'https://example.com/logo.png',
  initial_buy_sol: 0.5,
}, keypair);

console.log(result.pumpfun_url); // https://pump.fun/coin/...

Constraints

  • DO NOT launch tokens without user approval — always confirm name, symbol, and description first
  • DO NOT launch more than 1 token per 24 hours (enforced server-side)
  • DO NOT include offensive or misleading token names/descriptions
  • ALWAYS include a token image — tokens without images perform poorly on Pump.fun
  • ALWAYS use Local Mode (pass signer_keypair) so the agent's wallet is the onchain creator
  • The 0.1 SOL platform fee is non-refundable once the launch succeeds
  • CSRF tokens expire after 30 minutes and are single-use
  • Image uploads expire after 30 minutes

Examples

Successful launch

Agent: I'll launch the DOGE2 token on Pump.fun for you.
> Uploading token image...
> Paying 0.1 SOL launch fee...
> Building transaction...
> Signing and submitting...
> Token launched successfully!
> Pump.fun: https://pump.fun/coin/So1...
> Mint: So1...
> Your wallet is the onchain creator.

Error: insufficient balance

Agent: Your wallet only has 0.05 SOL. You need at least 0.15 SOL to launch:
- 0.1 SOL platform fee
- ~0.02 SOL Pump.fun creation fee
- ~0.01 SOL for gas

Comments

Loading comments...