Streme Token Launcher
v1.0.0Launch tokens on Streme (streme.fun) - the streaming token platform on Base. Use when deploying SuperTokens with built-in staking rewards, Uniswap V3 liquidity, and optional vesting vaults. Triggers on "launch token on streme", "deploy streme token", "create supertoken", or any Streme token deployment task.
⭐ 1· 1.5k·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (launch tokens on Streme) match the included scripts (deploy-token.ts, upload-image.ts) and contract ABIs. However the registry metadata declares no required environment variables or primary credential, while the deployment script requires PRIVATE_KEY (and the upload script optionally requires PINATA_JWT / CLOUDINARY_*/IMGBB key). The missing declaration of sensitive creds is an important inconsistency.
Instruction Scope
The SKILL.md instructions are focused on deploying tokens and hosting images. Runtime steps (generating salt, uploading images, building config, calling deployWithAllocations) are within the stated purpose. The instructions do require running local scripts (npx ts-node) and setting environment variables, but they do not try to read unrelated system files or exfiltrate data to unexpected endpoints.
Install Mechanism
No install spec (instruction-only) and included code files — there is no download of remote binaries or archives, which reduces supply-chain risk. Users will execute the included TypeScript locally (requires Node/ts-node). This is low technical install risk but means you must trust the shipped code before running.
Credentials
The actual code requires a sensitive PRIVATE_KEY env var to sign and send chain transactions, plus optional third‑party upload credentials (PINATA_JWT, CLOUDINARY_API_KEY/SECRET, IMGBB_API_KEY). Those are reasonable for a deployer/uploader, but the skill's declared requirements list no env vars or primary credential — a mismatch that could mislead users about what secrets they'll need to provide. Requesting a deployer private key is high sensitivity; ensure you only use a wallet with minimal funds or a secure signing approach.
Persistence & Privilege
The skill does not request persistent platform privileges (always:false), does not modify other skills, and includes no autonomous installation behavior. It operates as a local invocation script when run, which is appropriate for its purpose.
What to consider before installing
This package appears to implement a legitimate Streme token deployment flow, but there are two things you should not ignore: (1) The registry metadata claims no required environment variables, yet deploy-token.ts demands a PRIVATE_KEY (and upload-image.ts uses PINATA_JWT / CLOUDINARY_* / IMGBB keys). Supplying a private key lets the script sign and send real transactions — only use a key/wallet you control and are willing to risk (preferably a throwaway wallet with minimal funds), or use a safer signing workflow (hardware wallet, remote signer, or pre-signed transactions). (2) The source/homepage are unknown; you should manually review the included TypeScript before running it (especially the deploy script) and confirm contract addresses and RPC endpoints match official Streme/Base documentation. If you need higher assurance, ask the publisher for provenance (source repo, audit, or maintainer identity) or require the registry metadata be corrected to declare PRIMARY env vars. Additional info that would increase my confidence: an official upstream repository, a maintainer identity, registry metadata updated to list PRIVATE_KEY as the primary credential, or an audit/verification that the deployer address and contract ABIs are authentic.Like a lobster shell, security has layers — review code before you run it.
basevk97dh8rcjkba2z569dwtr25e1n80a91qcryptovk97dh8rcjkba2z569dwtr25e1n80a91qdefivk97dh8rcjkba2z569dwtr25e1n80a91qlatestvk97dh8rcjkba2z569dwtr25e1n80a91qstremevk97dh8rcjkba2z569dwtr25e1n80a91qsuperfluidvk97dh8rcjkba2z569dwtr25e1n80a91qtokensvk97dh8rcjkba2z569dwtr25e1n80a91qweb3vk97dh8rcjkba2z569dwtr25e1n80a91q
License
MIT-0
Free to use, modify, and redistribute. No attribution required.