ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Solpaw-Launcher

v3.0.2

Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator.

0· 908·2 current·2 all-time
by@lvcidpsyche

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for lvcidpsyche/solpaw-launcher.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Solpaw-Launcher" (lvcidpsyche/solpaw-launcher) from ClawHub.
Skill page: https://clawhub.ai/lvcidpsyche/solpaw-launcher
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: SOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY, SOLPAW_API_URL
Required binaries: curl
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install lvcidpsyche/solpaw-launcher

ClawHub CLI

Package manager switcher

npx clawhub@latest install solpaw-launcher
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
Name/description (launch Solana tokens) match the API and files (SDK, README, API docs). However the code calls the server-side /tokens/launch endpoint (server-signing / 'Lightning' mode) while the SKILL.md and README repeatedly recommend Local Mode (/tokens/launch-local) and claim the agent's wallet will be the onchain creator. The skill also declares SOLANA_PRIVATE_KEY as required, but the TypeScript code does not use it. This mismatch between what is claimed and what is implemented is incoherent.
Instruction Scope
SKILL.md provides explicit curl commands for registering, fetching a CSRF token, uploading images, building an unsigned transaction (launch-local) and submitting a signed transaction. Those instructions are scoped to the launch task and do not ask for unrelated system files. However the README and SKILL.md strongly advise local signing while the shipped SDK code uses the server-signing endpoint — that divergence changes what data is actually needed/transmitted and how authority over the resulting onchain mint is assigned. The skill also instructs the user to send irreversible funds (0.1 SOL) to a platform wallet; that is expected for this purpose but is a high-impact action that users must explicitly authorize.
Install Mechanism
Instruction-only / TypeScript source included; no download-from-URL installs or remote execution steps. package.json and TS file are present but there is no high-risk install mechanism. Required binary 'curl' is reasonable for the curl examples.
!
Credentials
The declared required env vars (SOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY, SOLPAW_API_URL) mostly make sense: API key and creator wallet for the service. But SOLANA_PRIVATE_KEY is flagged as required even though the provided TypeScript code never uses it (the code does not perform local signing). Asking for a private key is high-sensitivity and should only be requested if local signing is actually implemented. That mismatch is disproportionate and risky if users supply their main wallet key.
Persistence & Privilege
The skill is not always-enabled, it is user-invocable only, and model invocation is disabled (so it cannot autonomously run). It does not request system-wide config paths or try to modify other skills. No persistence/privilege escalation indicators.
What to consider before installing
Do not install or give secrets until the implementation mismatch is resolved. The two red flags: (1) the docs promise local (client) transaction signing but the included SDK code calls the server-side /tokens/launch endpoint (which may make the platform the onchain creator), and (2) the skill declares SOLANA_PRIVATE_KEY required even though the code doesn't use it. Before using: 1) Ask the author which endpoint the SDK will call in production and whether the skill actually performs local signing or server signing. 2) If you plan to proceed, NEVER use your main wallet private key — create an ephemeral wallet with only ~0.15 SOL. 3) Prefer code that uses /tokens/launch-local + /tokens/submit (or review and modify the SDK to implement local signing). 4) Verify the API base URL (https://api.solpaw.fun) and the platform wallet on an independent source (official docs, repo). 5) Test on devnet or with a small amount before committing larger funds. If the author confirms the SDK will be changed to local signing or removes the private-key env requirement, re-evaluate — that would reduce concern.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🐾 Clawdis
Binscurl
EnvSOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY, SOLPAW_API_URL
Primary envSOLPAW_API_KEY
latestvk975awk73sbj06fwaycrtqbgsn80wdad
908downloads
0stars
2versions
Updated 13h ago
v3.0.2
MIT-0
@lvcidpsyche
latest
Download

SolPaw — Launch Tokens on Solana via Pump.fun

When to use

Use this skill when the user explicitly asks to:

  • Launch a new memecoin / token on Solana via Pump.fun
  • Deploy a token with a name, symbol, description, and image
  • Create a Pump.fun token listing for a community, project, or meme

This skill MUST only be invoked by the user. Do not autonomously launch tokens.

Overview

SolPaw is the first Solana token-launch platform for autonomous agents. It handles IPFS metadata uploads, transaction building, and Pump.fun deployment.

  • Cost: 0.1 SOL one-time platform fee + ~0.02 SOL Pump.fun creation fee per launch
  • Creator: Your agent's wallet is the real onchain creator on Pump.fun
  • Limit: 1 launch per agent per 24 hours
  • Platform wallet: GosroTTvsbgc8FdqSdNtrmWxGbZp2ShH5NP5pK1yAR4K
  • Docs: https://solpaw.fun

Security

  • Ephemeral wallets recommended: Use a dedicated launch wallet with only the SOL needed (~0.15 SOL). Never use your main wallet's private key.
  • SOLANA_PRIVATE_KEY is used exclusively for local transaction signing. It is never transmitted to the SolPaw API server — signing happens client-side.
  • API key (SOLPAW_API_KEY) authenticates requests but cannot sign transactions or move funds.
  • CSRF tokens are single-use and expire after 30 minutes, preventing replay attacks.
  • Fee signatures are verified onchain and cannot be reused for multiple launches.
  • Daily limit: 1 launch per agent per 24 hours, enforced server-side.
  • All secrets (SOLPAW_API_KEY, SOLANA_PRIVATE_KEY) must be stored in environment variables, never in code or chat.

Prerequisites

  1. A Solana wallet with at least 0.15 SOL (0.1 platform fee + ~0.02 Pump.fun fee + gas)
  2. A SolPaw API key (register at the API)
  3. Environment variables set:
    • SOLPAW_API_KEY — your SolPaw API key
    • SOLPAW_CREATOR_WALLET — your Solana wallet public key
    • SOLANA_PRIVATE_KEY — your wallet private key (base58 encoded, for local signing only — never sent to server)
    • SOLPAW_API_URL — API base URL (default: https://api.solpaw.fun/api/v1)

Steps

Step 1: Register (one-time)

curl -s -X POST https://api.solpaw.fun/api/v1/agents/register \
  -H "Content-Type: application/json" \
  -d '{"agent_name":"MyAgent","default_fee_wallet":"YOUR_WALLET_ADDRESS"}' | jq .

Save the api_key from the response. It will NOT be shown again.

Step 2: Get a CSRF token

CSRF=$(curl -s -H "Authorization: Bearer $SOLPAW_API_KEY" \
  https://api.solpaw.fun/api/v1/agents/csrf | jq -r '.data.csrf_token')

Step 3: Send 0.1 SOL launch fee

Send 0.1 SOL (100,000,000 lamports) to the platform wallet: GosroTTvsbgc8FdqSdNtrmWxGbZp2ShH5NP5pK1yAR4K

Save the transaction signature.

Step 4: Upload token image (optional but recommended)

IMAGE_ID=$(curl -s -X POST https://api.solpaw.fun/api/v1/tokens/upload-image \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -F "file=@token-logo.png" | jq -r '.data.image_id')

Step 5: Launch token (Local Mode — your wallet is the creator)

# Build unsigned transaction
TX_DATA=$(curl -s -X POST https://api.solpaw.fun/api/v1/tokens/launch-local \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -d '{
    "name": "MyCoolToken",
    "symbol": "MCT",
    "description": "An awesome token launched by an AI agent on SolPaw",
    "creator_wallet": "'$SOLPAW_CREATOR_WALLET'",
    "signer_public_key": "'$SOLPAW_CREATOR_WALLET'",
    "launch_fee_signature": "YOUR_FEE_TX_SIGNATURE",
    "image_id": "'$IMAGE_ID'",
    "initial_buy_sol": 0,
    "slippage": 10,
    "priority_fee": 0.0005,
    "csrf_token": "'$CSRF'"
  }')

# Sign the transaction with your private key, then submit
SIGNED_TX="..." # sign the base64 transaction from TX_DATA
curl -s -X POST https://api.solpaw.fun/api/v1/tokens/submit \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer $SOLPAW_API_KEY" \
  -d '{"signed_transaction": "'$SIGNED_TX'", "mint": "MINT_FROM_TX_DATA"}'

Using the TypeScript SDK (Easier)

import SolPawSkill from './solpaw-skill';
import { Keypair } from '@solana/web3.js';

const solpaw = new SolPawSkill({
  apiEndpoint: 'https://api.solpaw.fun/api/v1',
  apiKey: process.env.SOLPAW_API_KEY,
  defaultCreatorWallet: process.env.SOLPAW_CREATOR_WALLET,
});

const keypair = Keypair.fromSecretKey(bs58.decode(process.env.SOLANA_PRIVATE_KEY));

// One-call launch: pays fee + uploads + signs + submits
const result = await solpaw.payAndLaunch({
  name: 'MyCoolToken',
  symbol: 'MCT',
  description: 'Launched by an AI agent on SolPaw',
  image_url: 'https://example.com/logo.png',
  initial_buy_sol: 0.5,
}, keypair);

console.log(result.pumpfun_url); // https://pump.fun/coin/...

Constraints

  • DO NOT launch tokens without explicit user approval — always confirm name, symbol, and description first
  • DO NOT launch more than 1 token per 24 hours (enforced server-side)
  • DO NOT include offensive or misleading token names/descriptions
  • ALWAYS include a token image — tokens without images perform poorly on Pump.fun
  • ALWAYS use Local Mode (pass signer_keypair) so the agent's wallet is the onchain creator
  • The 0.1 SOL platform fee is non-refundable once the launch succeeds
  • CSRF tokens expire after 30 minutes and are single-use
  • Image uploads expire after 30 minutes
  • NEVER log, display, or transmit SOLANA_PRIVATE_KEY — it is used for local signing only

Examples

Successful launch

Agent: I'll launch the DOGE2 token on Pump.fun for you.
> Uploading token image...
> Paying 0.1 SOL launch fee...
> Building transaction...
> Signing and submitting...
> Token launched successfully!
> Pump.fun: https://pump.fun/coin/So1...
> Mint: So1...
> Your wallet is the onchain creator.

Error: insufficient balance

Agent: Your wallet only has 0.05 SOL. You need at least 0.15 SOL to launch:
- 0.1 SOL platform fee
- ~0.02 SOL Pump.fun creation fee
- ~0.01 SOL for gas

Comments

Loading comments...