Pump.fun Token Launcher
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If an agent invokes the live command incorrectly or too eagerly, it could spend SOL and create an irreversible public token on mainnet.
The code has a dry-run branch, but if --dry-run is absent it proceeds directly to a live on-chain createAndBuy call. There is no in-command confirmation prompt or required --confirm flag before spending SOL and creating a token.
if (dryRun === "true") { ... return; } ... const result = await sdk.createAndBuy(wallet, mintKeypair, { name, symbol, description, file: imageBlob }, BigInt(Math.floor(buyAmountSol * LAMPORTS_PER_SOL)), slippageBps, { unitLimit: 250000, unitPrice: priorityFee })Use only with explicit user confirmation, a dedicated low-balance wallet, and a dry-run first. The skill should ideally require an interactive confirmation or explicit --confirm-live flag before any mainnet transaction.
A funded wallet controlled through this skill can spend real SOL; misconfiguration or agent misuse could affect funds.
The skill uses a Solana private key or generated wallet to authorize transactions, while the registry metadata declares no primary credential and no required env vars. This is high-impact account authority even though it is disclosed in the instructions.
WALLET_PRIVATE_KEY=base58_encoded_private_key ... If `WALLET_PRIVATE_KEY` is not set, the script will generate a new wallet and save it to `.wallet.key`
Use a separate wallet funded only with the amount you are willing to spend, avoid reusing high-value private keys, and ensure the skill metadata clearly declares wallet/private-key and RPC-key requirements.
Future dependency resolution could install different package versions than the author tested, which is more sensitive for wallet-handling software.
The skill relies on npm dependencies with caret version ranges. That is common for JavaScript projects, but it is worth noticing because this tool handles wallet keys and live blockchain transactions.
"dependencies": { "@coral-xyz/anchor": "^0.30.1", "@solana/web3.js": "^1.95.8", "pumpdotfun-sdk": "^1.4.2" }Install from a trusted source, review or pin dependency versions with a lockfile, and avoid installing updates blindly for a funded-wallet tool.