ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Solpaw Interaction Skill

v0.1.1

Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator.

0· 855·1 current·1 all-time
by@lvcidpsyche·duplicate of @lvcidpsyche/solpaw-skill
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The skill claims to let an agent launch tokens with the user's wallet as the on-chain creator (local signing). Requiring SOLPAW_API_KEY and a creator wallet is reasonable, but the TypeScript implementation posts to /tokens/launch (server-side signing / 'lightning' endpoint) rather than the documented /tokens/launch-local. That makes the stated guarantee ('your wallet is the onchain creator') inconsistent with the implemented API call.
Instruction Scope
SKILL.md gives concrete curl steps for registering, obtaining a CSRF token, sending 0.1 SOL to a platform wallet, uploading images, and building/signing transactions locally. Those steps are scoped to the described task. However, the README/SDK examples and the SKILL.md emphasize local signing while the included code uses the server signing endpoint — a mismatch that gives the agent discretion to use a server-signed flow unless callers intentionally use the local flow.
Install Mechanism
No install script or external downloads are present; the skill is instruction-only plus a TypeScript file. Required binary is only curl. This is low risk from an install perspective.
!
Credentials
The skill requires SOLPAW_API_KEY and SOLPAW_CREATOR_WALLET (expected) and also SOLANA_PRIVATE_KEY (very sensitive). Requesting a private key is proportionate if the skill truly performs local signing only — but given the code calling the server-side launch endpoint, the private key requirement is not clearly justified and could be abused to sign/submit transactions unexpectedly.
Persistence & Privilege
always:false and user-invocable:true (normal). But disable-model-invocation:false means the agent could invoke the skill autonomously; combined with an environment-held private key, that gives an autonomous agent the ability to sign and submit transactions and spend funds. This combination increases the blast radius if the skill behaves unexpectedly or is misused.
What to consider before installing
Before installing, consider the following: - Do not store your main Solana private key in an environment variable for a third-party skill. Prefer a dedicated wallet with minimal funds or an offline/hardware signing flow. - Verify whether the skill will perform local signing (/tokens/launch-local) or server signing (/tokens/launch). The code provided posts to /tokens/launch (server-side signing) which contradicts the docs that promise your wallet as the on-chain creator. Ask the author to confirm and/or change the code to use the local signing endpoint. - If you must test, create a throwaway wallet with <=0.15 SOL and test the flow first; never give this skill access to high-value keys. - Limit autonomous invocation: disable autonomous invocation for this skill or remove SOLANA_PRIVATE_KEY from the agent environment so it cannot sign without explicit manual steps. - Audit the upstream repository (github links are provided) and confirm the API endpoint and platform wallet are legitimate and match what is documented. Confirm CSRF/payment verification behavior on the server side. - If you need a safer setup: perform the signing step entirely offline (sign transaction locally), then manually submit the signed transaction via curl, keeping the skill's API key separate. Given the contradictions in docs vs code and the sensitive env var required, proceed only after clarifying the signing model and using a low-value test wallet.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🐾 Clawdis
Binscurl
EnvSOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY
Primary envSOLPAW_API_KEY
latestvk973mfy1vznvpt6z4thzv9jnhd80x64w
855downloads
0stars
1versions
Updated 7h ago
v0.1.1
MIT-0
@lvcidpsyche
latest
Download

SolPaw — Launch Tokens on Solana via Pump.fun

When to use

Use this skill when the agent needs to:

  • Launch a new memecoin / token on Solana via Pump.fun
  • Deploy a token with a name, symbol, description, and image
  • Create a Pump.fun token listing for a community, project, or meme

Overview

SolPaw is the first Solana token-launch platform for autonomous agents. It handles IPFS metadata uploads, transaction building, and Pump.fun deployment.

  • Cost: 0.1 SOL one-time platform fee + ~0.02 SOL Pump.fun creation fee per launch
  • Creator: Your agent's wallet is the real onchain creator on Pump.fun
  • Limit: 1 launch per agent per 24 hours
  • Platform wallet: 6SoPUBp68Eqhvs3fdx6GdKu5EP44ykqsjh359LyY3ZiS
  • Docs: https://solpaw.fun

Prerequisites

  1. A Solana wallet with at least 0.15 SOL (0.1 platform fee + ~0.02 Pump.fun fee + gas)
  2. A SolPaw API key (register at the API)
  3. Environment variables set:
    • SOLPAW_API_KEY — your SolPaw API key
    • SOLPAW_CREATOR_WALLET — your Solana wallet public key
    • SOLANA_PRIVATE_KEY — your wallet private key (base58 encoded, for signing)

Steps

Step 1: Register (one-time)

curl -s -X POST https://api.solpaw.fun/api/v1/agents/register \
  -H "Content-Type: application/json" \
  -d '{"agent_name":"MyAgent","default_fee_wallet":"YOUR_WALLET_ADDRESS"}' | jq .

Save the api_key from the response. It will NOT be shown again.

Step 2: Get a CSRF token

CSRF=$(curl -s -H "Authorization: Bearer $SOLPAW_API_KEY" \
  https://api.solpaw.fun/api/v1/agents/csrf | jq -r '.data.csrf_token')

Step 3: Send 0.1 SOL launch fee

Send 0.1 SOL (100,000,000 lamports) to the platform wallet: 6SoPUBp68Eqhvs3fdx6GdKu5EP44ykqsjh359LyY3ZiS

Save the transaction signature.

Step 4: Upload token image (optional but recommended)

IMAGE_ID=$(curl -s -X POST https://api.solpaw.fun/api/v1/tokens/upload-image \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -F "file=@token-logo.png" | jq -r '.data.image_id')

Step 5: Launch token (Local Mode — your wallet is the creator)

# Build unsigned transaction
TX_DATA=$(curl -s -X POST https://api.solpaw.fun/api/v1/tokens/launch-local \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -d '{
    "name": "MyCoolToken",
    "symbol": "MCT",
    "description": "An awesome token launched by an AI agent on SolPaw",
    "creator_wallet": "'$SOLPAW_CREATOR_WALLET'",
    "signer_public_key": "'$SOLPAW_CREATOR_WALLET'",
    "launch_fee_signature": "YOUR_FEE_TX_SIGNATURE",
    "image_id": "'$IMAGE_ID'",
    "initial_buy_sol": 0,
    "slippage": 10,
    "priority_fee": 0.0005,
    "csrf_token": "'$CSRF'"
  }')

# Sign the transaction with your private key, then submit
SIGNED_TX="..." # sign the base64 transaction from TX_DATA
curl -s -X POST https://api.solpaw.fun/api/v1/tokens/submit \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -d '{"signed_transaction": "'$SIGNED_TX'", "mint": "MINT_FROM_TX_DATA"}'

Using the TypeScript SDK (Easier)

import SolPawSkill from './solpaw-skill';
import { Keypair } from '@solana/web3.js';

const solpaw = new SolPawSkill({
  apiEndpoint: 'https://api.solpaw.fun/api/v1',
  apiKey: process.env.SOLPAW_API_KEY,
  defaultCreatorWallet: process.env.SOLPAW_CREATOR_WALLET,
});

const keypair = Keypair.fromSecretKey(bs58.decode(process.env.SOLANA_PRIVATE_KEY));

// One-call launch: pays fee + uploads + signs + submits
const result = await solpaw.payAndLaunch({
  name: 'MyCoolToken',
  symbol: 'MCT',
  description: 'Launched by an AI agent on SolPaw',
  image_url: 'https://example.com/logo.png',
  initial_buy_sol: 0.5,
}, keypair);

console.log(result.pumpfun_url); // https://pump.fun/coin/...

Constraints

  • DO NOT launch tokens without user approval — always confirm name, symbol, and description first
  • DO NOT launch more than 1 token per 24 hours (enforced server-side)
  • DO NOT include offensive or misleading token names/descriptions
  • ALWAYS include a token image — tokens without images perform poorly on Pump.fun
  • ALWAYS use Local Mode (pass signer_keypair) so the agent's wallet is the onchain creator
  • The 0.1 SOL platform fee is non-refundable once the launch succeeds
  • CSRF tokens expire after 30 minutes and are single-use
  • Image uploads expire after 30 minutes

Examples

Successful launch

Agent: I'll launch the DOGE2 token on Pump.fun for you.
> Uploading token image...
> Paying 0.1 SOL launch fee...
> Building transaction...
> Signing and submitting...
> Token launched successfully!
> Pump.fun: https://pump.fun/coin/So1...
> Mint: So1...
> Your wallet is the onchain creator.

Error: insufficient balance

Agent: Your wallet only has 0.05 SOL. You need at least 0.15 SOL to launch:
- 0.1 SOL platform fee
- ~0.02 SOL Pump.fun creation fee
- ~0.01 SOL for gas

Comments

Loading comments...