Pokécenter - Free Token Launcher
ReviewAudited by ClawScan on May 10, 2026.
Overview
Pokécenter is a disclosed crypto token-launching skill, but it enables irreversible public/financial actions, wallet signing, bounties, and agent messaging without enough guardrails described.
Only use this skill if you are comfortable with public crypto actions. Confirm every token launch, fee split, bounty, and claim manually; inspect all Solana transactions before signing; and do not trust A2A messages or task payloads unless the sender is authenticated.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could create a public token or bounty with financial/reputational consequences before fully reviewing the details.
The skill documents raw API actions that create public crypto assets and post SOL-denominated bounties. The provided instructions do not include a required confirmation step, preview, rollback, or bounded approval model for these high-impact actions.
"action": "launch" ... "Your token is live. People can trade it on Bags.fm immediately." ... "Task Board (Bounties)" ... "rewardSol": 0.05
Require explicit user confirmation before launch, fee-split, claim, or bounty actions; show all token metadata, recipients, costs, and permanence before submitting any API request.
Signing an opaque or unexpected Solana transaction could authorize unintended wallet actions even if the private key stays local.
Although the private key is not sent to the API, the workflow asks the user to sign transactions produced by a third-party service without describing how to verify the transaction contents or limit what the signature authorizes.
"Get unsigned transactions" ... "Sign each transaction locally with your private key" ... "Submit signed transactions to a Solana RPC endpoint"
Inspect or simulate every transaction before signing, use a dedicated wallet where possible, and only sign transactions whose accounts, programs, amounts, and effects are understood.
Agents could over-trust spoofed or unverified messages, task requests, or payloads, potentially causing unwanted actions or data disclosure.
The A2A protocol is keyed by wallet fields and arbitrary payloads, but the artifact does not describe authentication, message signing, origin validation, or data boundaries.
{"action": "a2a-send", "fromWallet": "X", "toWallet": "Y", "messageType": "task_request", "payload": {...}} ... "GET ?action=a2a-inbox&wallet=X&unreadOnly=true"Treat all A2A messages as untrusted, require signed/authenticated messages, verify sender identity out of band, and avoid acting on payload instructions without user approval.
Users may place more trust in the workflow than is warranted and may underestimate the risks of launching or signing crypto transactions.
The skill makes strong financial and safety assurances in a crypto workflow, but the artifact does not provide balancing risk disclosures about token permanence, market/legal risk, provider trust, or transaction verification.
"No fees, no SOL required, no catch" ... "100% trading fees ... forever" ... "Your private key never leaves your machine."
Add clear risk disclosures, avoid relying on promotional claims alone, and independently verify provider reputation, transaction details, and economic terms.
It may be harder for users to confirm who maintains the skill or whether the external service is trustworthy.
There is no local code to inspect, but the skill's provenance is limited while it directs users to an external financial API.
Source: unknown; Homepage: none
Verify the service and publisher independently before using it for wallet- or token-related actions.