Solpaw
WarnAudited by ClawScan on May 10, 2026.
Overview
This token-launch skill is high risk because it can spend/sign with a Solana wallet key and its code appears to conflict with the promised local creator flow.
Review carefully before installing. If you use it, use only a throwaway Solana wallet with limited funds, require manual approval for the exact token details, fees, initial buy, and slippage, and verify that the code actually uses the local-mode transaction flow before signing anything.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API response or agent workflow is wrong, the wallet could sign unintended Solana actions or spend more SOL than the user expected.
The workflow has the agent sign and submit a transaction blob produced by the SolPaw API. The artifacts do not show local decoding, instruction verification, amount caps, or a hard approval gate before signing.
TX_DATA=$(curl ... /tokens/launch-local ...) # Sign the transaction with your private key, then submit SIGNED_TX="..." # sign the base64 transaction from TX_DATA
Use a dedicated low-balance wallet, require explicit confirmation of decoded transaction details, cap spend/slippage, and do not blindly sign API-built transactions.
Misuse, prompt confusion, or a compromised dependency/service could lead to loss of funds or unintended on-chain transactions.
A full Solana private key in the agent environment gives signing and spending authority over the wallet, not just permission to use the SolPaw API.
`SOLANA_PRIVATE_KEY` — your wallet private key (base58 encoded, for signing)
Do not use a main wallet. Use a fresh wallet funded only with the exact amount needed, prefer hardware/wallet-adapter confirmation, and rotate/remove the key after use.
A user may pay and launch believing their wallet will be the on-chain creator and local signer, while the provided SDK path appears to use a different trust model.
The included API docs describe `/tokens/launch` as the fallback where the server signs and the platform wallet is the on-chain creator, while SKILL.md says to always use Local Mode and that the user's wallet is the creator.
// Launch via Lightning API
const result = await this.request<...>("POST", "/tokens/launch", {Make the SDK use `/tokens/launch-local` plus `/tokens/submit`, or clearly label `/tokens/launch` as a fallback requiring explicit opt-in and update the user-facing claims.