Solpaw-Launcher
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Review before installing: this is a real token-launcher, but it asks for wallet-signing authority and one visible code path conflicts with the claim that your wallet is always the on-chain creator.
Install only if you understand that token launches and SOL fees are public, financial, and generally irreversible. Use a dedicated wallet with only the SOL you intend to spend, verify the platform wallet and API endpoint, inspect any transaction before signing, and do not rely on the visible launchToken path if you require your wallet to be the on-chain creator.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A bad or unexpected transaction could spend funds from the signing wallet or create an irreversible on-chain action.
The skill asks the agent to use a Solana private key to sign launch transactions built through an external API. Although the docs recommend an ephemeral wallet, the artifacts do not show local transaction inspection or hard spending bounds before signing.
`SOLANA_PRIVATE_KEY` — your wallet private key (base58 encoded, for local signing only — never sent to server) ... `TX_DATA=$(curl ... /tokens/launch-local ...)` ... `# Sign the transaction with your private key, then submit`
Use a fresh wallet funded only with the intended fee and initial buy amount, never use a main wallet key, and inspect decoded transaction instructions before signing.
A user may believe their wallet will be the Pump.fun on-chain creator when the visible SDK path may instead use a server-signed fallback flow.
The visible launchToken implementation uses the `/tokens/launch` Lightning/fallback endpoint. The provided API docs describe that endpoint as server-signed with the platform wallet as on-chain creator, which conflicts with SKILL.md's repeated claim that the user's wallet is the on-chain creator in Local Mode.
`// Launch via Lightning API` ... `>("POST", "/tokens/launch", { ... creator_wallet: params.creator_wallet || this.config.defaultCreatorWallet ... })`Require the local-mode `/tokens/launch-local` plus signed submit flow for creator-owned launches, or update the docs and command path so the creator behavior is unambiguous.
If the wrong command or parameters are approved, the agent could perform an unintended token launch or related API action.
The skill is configured to use raw exec dispatch and includes curl/API workflows. This is purpose-aligned for an instruction-only integration, but it means users should review the exact command/API call before running it.
`command-dispatch: tool`; `command-tool: exec`; `command-arg-mode: raw`
Only run reviewed commands, confirm token name/symbol/description and fee details, and prefer a typed/scoped tool path where available.