Blowfish Launch
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its token-launching purpose, but it requires a Solana private key that the metadata does not declare and can use it for high-impact token or fee actions through a third-party API.
Review carefully before installing. Only use this if you intentionally want an agent to launch Solana tokens through the Blowfish API. Use a dedicated wallet with limited funds, set WALLET_SECRET_KEY only for the command/session that needs it, verify the api-blowfish.neuko.ai service and dependencies, and require explicit approval before any launch or fee-claim action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run with a real wallet key, the agent can authenticate as that wallet to the Blowfish API and obtain delegated read/trade access for token-launch workflows.
The script loads a Solana private key from an environment variable and uses it to authenticate. Registry metadata declares no required env vars or primary credential, so the wallet authority is under-disclosed.
const secretKey = Uint8Array.from(JSON.parse(process.env.WALLET_SECRET_KEY!)); const keypair = Keypair.fromSecretKey(secretKey);
Declare the wallet credential explicitly, require user approval before use, and only use a dedicated low-value wallet rather than a main wallet.
A mistaken or unintended invocation could launch a token or consume the launch quota, with public and financial consequences.
Once invoked with parameters, the script directly submits the token launch and waits for deployment. There is no visible confirmation or dry-run step before a public/on-chain action.
const eventId = await launchToken(token, params); await waitForDeployment(eventId, token);
Add an explicit confirmation step for launch and fee-claim actions, show the wallet and token parameters before submitting, and document whether actions are reversible.
Users have less assurance about the origin of the skill and the exact dependency setup needed to run the script.
For a skill that uses wallet credentials and external packages, missing provenance and install/dependency declarations make it harder for a user to verify what they are trusting.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Provide a verified homepage/source, an install spec or package manifest with pinned dependencies, and clear setup requirements.