Reliable Pumpfun Price Feed
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to do what it claims—stream PumpFun market data from Bitquery—but users should protect the required Bitquery API key and review the Python dependency/source provenance before running it.
Before installing, verify the publisher/source if possible, run the script in a virtual environment or sandbox, set BITQUERY_API_KEY only through the environment, avoid logging full URLs, and consider pinning the Python dependency version.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Bitquery API key is needed for the feed; if the full WebSocket URL is logged or copied, the key could be exposed.
The script reads a Bitquery API key from the environment and embeds it in the WebSocket URL. This matches the stated purpose, but URL-bearing credentials can be exposed through logs or tooling.
api_key = get_api_key()
url = f"{BITQUERY_WS_BASE}?{urlencode({'token': api_key})}"Use an environment variable, avoid printing or logging connection URLs, run in an isolated environment, and rotate the Bitquery key if it may have been exposed.
Installing the dependency may fetch a newer package version than the publisher tested.
The skill relies on a third-party Python dependency with a lower-bound version rather than a pinned exact version. This is expected for a WebSocket GraphQL client, but it leaves package resolution open to newer versions.
gql[websockets]>=3.4.0
Install in a virtual environment or sandbox, review the dependency, and consider pinning a known-good version before production use.