GMGN Skill Cooking
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill is clear about launching real crypto tokens, but it requires a wallet private key and an unpinned external CLI, so it needs careful review before use.
Install or use this only if you trust the gmgn-cli package and understand it can submit irreversible blockchain transactions with your wallet key. Use a dedicated low-balance wallet, verify every command manually, pin or inspect the CLI version, and avoid placing private keys in shared project .env files.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A confirmed create command can deploy a public token contract and spend real wallet funds, and the transaction cannot be undone.
The skill explicitly performs real financial actions. This is purpose-aligned and disclosed, but the user must understand the impact before any command is run.
**This skill executes REAL, IRREVERSIBLE blockchain transactions.**
Only approve a create command after checking the chain, launchpad, wallet address, token name/symbol, buy amount, and slippage. Use a small dedicated wallet.
If the wrong process, package, workspace, or user gains access to the private key, wallet funds and token-launch authority may be compromised.
A wallet private key is high-impact signing authority. The registry requirements list no required env vars or primary credential, so this credential dependency is under-declared outside the skill text.
`cooking create` requires both `GMGN_API_KEY` and `GMGN_PRIVATE_KEY` ... configured in `~/.config/gmgn/.env`.
Use a dedicated low-balance wallet, do not reuse a main wallet private key, keep keys out of shared project directories, and verify credential handling before use.
A compromised or wrong CLI package/version could misuse the private key, submit unintended transactions, or expose wallet credentials.
The skill depends on an unpinned globally installed npm package, while the submitted artifact set contains no code or install spec. That package is expected to handle private-key signing and transaction submission.
`gmgn-cli` installed globally — if missing, run: `npm install -g gmgn-cli`
Verify the CLI's provenance, pin and inspect the package version, prefer an isolated environment, and do not install or run it with a high-value wallet.
A user may over-trust the key-safety claim without independently verifying what the external CLI does.
This is a reassuring security claim about key handling, but the provided artifacts are instruction-only and do not include the CLI code needed to verify it.
The private key never leaves the machine — the CLI uses it only for local signing.
Treat the claim as unverified until the CLI implementation and network behavior have been checked.