Skillv0.1.1

ClawScan security

Solpaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:35 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's description and docs say launches are signed locally (your wallet is the on‑chain creator) but the shipped code uses the server-side 'launch' endpoint and never uses the SOLANA_PRIVATE_KEY it asks for — this mismatch is unexpected and risky.
Guidance: Do not hand over your SOLANA_PRIVATE_KEY or set it as an environment variable for this skill until the mismatches below are resolved. Specific actions to consider before installing or using this skill: - Ask the maintainer to explain and fix the discrepancy: the SKILL.md/README recommend local signing (/tokens/launch-local + /tokens/submit) but the shipped code calls /tokens/launch (server-side signing). Confirm which mode will actually be used and why. - If you want your wallet to be the on‑chain creator, insist the code use the local-signing flow (build unsigned tx, sign locally with your key, call /tokens/submit) and that SOLANA_PRIVATE_KEY is used only locally (never sent to the API). - Until that's clarified, do not put your private key in an environment variable accessible to the agent runtime. Prefer ephemeral signing (hardware wallet, remote signing service you control, or manual signing) and test on devnet/testnet first with small amounts. - Verify the platform wallet address and the project identity off-platform (check the GitHub repo, owner, and domain registration for solpaw.fun). The platform wallet is hardcoded in docs — confirm it matches the official project and not an impostor. - Require explicit user confirmation before any payment or launch action. The skill's docs state this, but it's a policy; make sure your agent enforces a human approval step before sending funds or signing transactions. - If you must use the skill, review/replace the launchToken implementation so it uses /tokens/launch-local and /tokens/submit (or otherwise ensure private keys never leave your environment), and re-run a code audit. Because of the uncertain mismatch (private-key requirement vs server-side signing), treat this skill as suspicious until the author provides a clear explanation or the code is updated to match the documented, local-signing behavior.

Review Dimensions

Purpose & Capability: concernThe skill claims 'ALWAYS use Local Mode' and that 'your wallet is the onchain creator' (SKILL.md/README). However, the TypeScript implementation's launchToken() posts to /tokens/launch (server-side signing / lightning mode) rather than /tokens/launch-local. That makes the platform (not the user's wallet) the onchain creator. Requiring a SOLANA_PRIVATE_KEY in metadata/requirements while the code does not use it is inconsistent.
Instruction Scope: concernSKILL.md instructs building an unsigned transaction (/tokens/launch-local), signing locally, and submitting (/tokens/submit). The code instead calls the server 'launch' endpoint (lightning mode). The documentation and runtime instructions therefore diverge from the actual code path; this is scope/instruction mismatch that could change who controls minted tokens and how fees/ownership work.
Install Mechanism: okNo install spec (instruction-only) and required binary is only curl. There is a TypeScript source file included, but nothing in the package writes arbitrary archives or pulls code from unusual URLs. Install mechanism itself is low-risk.
Credentials: concernThe skill declares three env vars (SOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY). SOLPAW_API_KEY and creator wallet are reasonable. Asking for SOLANA_PRIVATE_KEY (a high-value secret) is only justified if the agent will sign transactions locally; the included code does not use that key, so the requirement is disproportionate and unexplained. Storing private keys in environment variables is intrinsically sensitive — avoid unless strictly necessary and audited.
Persistence & Privilege: notealways:false (good). disable-model-invocation:false (default) means the agent can call the skill autonomously. That is normally acceptable, but combined with a declared requirement for a private key (even if not used by the included code) increases the blast radius: an autonomously-invoking skill with access to a private key could sign transactions without explicit approval. The skill's own policy text requires user confirmation, but that is not enforced automatically.