Ship My Token
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it handles real crypto wallet keys, signs Solana transactions, and sets up recurring background recaps, so users should review it carefully before installing.
Install only if you are comfortable with an agent-created Solana wallet and agent-run transactions. Fund the wallet minimally, confirm every launch, initial buy, claim, and fee-share change before it is submitted, understand that Ship My Token keeps a 20% creator-fee share, protect the private key, and remove any heartbeat/cron recap tasks if you do not want recurring portfolio checks.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the key is exposed in chat logs, terminal history, backups, or to another local process, someone could take the wallet's SOL or control launched tokens.
The skill generates and stores a Solana private key and can print it during export. That key controls any funds and tokens in the wallet.
await writeConfig("SOLANA_PRIVATE_KEY", privateKey); ... action: "export", publicKey, privateKeyOnly fund the generated wallet with amounts you are willing to risk, avoid exporting the private key into shared chats, and prefer explicit wallet/signing confirmation or an external wallet for larger funds.
Agent-run commands can perform real on-chain actions, such as fee claiming or fee-share updates, which may be irreversible or financially significant.
The fee-management script signs and submits Solana transactions using the stored wallet key.
tx.sign([wallet]); ... const signature = await connection.sendTransaction(tx, { skipPreflight: false });Require a clear user confirmation before every transaction, including the mint address, SOL amount, fee split, recipient wallets, and expected effect.
The agent may continue running portfolio recap commands and posting wallet information after the initial task, and the workspace heartbeat file may be changed.
The skill asks the agent to create recurring background behavior through heartbeat or scheduled tasks without a separate opt-in step in the visible instructions.
When this skill is first loaded... immediately start the onboarding flow... Set up daily recaps... If a `HEARTBEAT.md` file exists... append... If it doesn't exist, create it... register a daily job
Make daily recaps opt-in, document how to disable them, and review any HEARTBEAT.md or cron/scheduled task entries after installation.
Installing the skill can fetch and execute dependency installation logic from npm, which expands the trusted code base beyond the files shown here.
The skill directs the agent to install npm dependencies at runtime even though the registry says there is no install spec.
ls {baseDir}/node_modules/@pump-fun/pump-sdk 2>/dev/null || (cd {baseDir} && npm install)Install only in a trusted environment, review package.json dependencies, and prefer pinned/locked dependency versions where possible.
This is expected for vanity-address generation, but it depends on a local binary and executes a command from the user's environment.
The launch script executes the local solana-keygen binary to generate vanity mint addresses.
execFile("solana-keygen", args, { cwd: tempDir, timeout: VANITY_TIMEOUT_MS }, (error) => {Use this feature only if you trust the installed Solana CLI; otherwise use the random mint fallback or skip vanity generation.
Portfolio and wallet-balance information may appear in agent conversations, logs, or scheduled recap outputs.
The stats script outputs wallet address, balance, unclaimed fees, and token portfolio data, which daily recap instructions may reuse or send.
walletAddress: wallet.publicKey.toBase58(), walletBalance: walletBalance / 1e9, totalUnclaimedFees, tokens: tokenStats
Treat recaps as sensitive financial data and disable scheduled recaps if the workspace, chat history, or logs are shared.
Users may underestimate market, liquidity, fee, or wallet-risk issues when launching a token through the agent.
The skill uses strong earnings-oriented language while also directing the user to fund a wallet and accept a fee-sharing model.
Every token you launch earns passive SOL... You keep 80% of those fees — forever.
Clarify that earnings are not guaranteed, confirm the 80/20 fee split before launch, and avoid funding more SOL than needed.