Reliable Pumpfun Price Feed
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pumpfun-usd-price-stream Version: 1.0.4 The skill provides a legitimate real-time stream of PumpFun token data from Bitquery via WebSockets. The Python script `scripts/stream_pumpfun.py` and the instructions in `SKILL.md` are well-documented and align with the stated purpose. Notably, the documentation includes a proactive security warning regarding the Bitquery API's requirement to pass the API key in the WebSocket URL, advising users on how to prevent credential leakage in logs. No malicious behaviors, such as data exfiltration or unauthorized execution, were found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Your Bitquery API key is needed for the feed; if the full WebSocket URL is logged or copied, the key could be exposed.
The script reads a Bitquery API key from the environment and embeds it in the WebSocket URL. This matches the stated purpose, but URL-bearing credentials can be exposed through logs or tooling.
api_key = get_api_key()
url = f"{BITQUERY_WS_BASE}?{urlencode({'token': api_key})}"Use an environment variable, avoid printing or logging connection URLs, run in an isolated environment, and rotate the Bitquery key if it may have been exposed.
Installing the dependency may fetch a newer package version than the publisher tested.
The skill relies on a third-party Python dependency with a lower-bound version rather than a pinned exact version. This is expected for a WebSocket GraphQL client, but it leaves package resolution open to newer versions.
gql[websockets]>=3.4.0
Install in a virtual environment or sandbox, review the dependency, and consider pinning a known-good version before production use.