ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

KaspaCom LFG MCP

v0.1.0

Use KaspaCom LFG Launchpad through the KaspaCom DeFi MCP/CLI for launch discovery and launch-token trading on IGRA and Kasplex. Trigger on active launch look...

0· 70·0 current·0 all-time
by@marciano147

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for marciano147/kaspacom-lfg-mcp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "KaspaCom LFG MCP" (marciano147/kaspacom-lfg-mcp) from ClawHub.
Skill page: https://clawhub.ai/marciano147/kaspacom-lfg-mcp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install kaspacom-lfg-mcp

ClawHub CLI

Package manager switcher

npx clawhub@latest install kaspacom-lfg-mcp
Security Scan
Capability signals
Crypto
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description match the SKILL.md examples (discovery and buy/sell on KaspaCom/Kasplex). However, the skill shows transaction commands that necessarily require signing keys or a wallet and RPC/provider configuration — none of which are declared in the skill's requirements or described in the instructions. That missing credential/config requirement is disproportionate to what the manifest lists and creates an incoherence.
!
Instruction Scope
The SKILL.md tells the agent to globally install an npm package and run CLI commands including buyLaunchToken/sellLaunchToken. These are potentially fund-moving actions. The instructions do not explain how to provide or protect private keys, which account will be used, or which RPC endpoints will be contacted. The scope is therefore incomplete and could lead to accidental transactions or credential exposure.
Install Mechanism
There is no formal install spec in the registry metadata, but SKILL.md recommends `npm i -g @kaspacom/defi-mcp`. Installing a global npm package is plausible for this purpose, but it is an external package (not tied to a vetted URL in the manifest) and npm packages can run install-time scripts. This increases risk slightly versus an instruction-only skill that never touches external packages.
!
Credentials
The skill declares no required environment variables or credentials, yet the runtime examples imply the need for account private keys, wallet access, and network/RPC configuration. Requiring no env vars is disproportionate and ambiguous; the skill should explicitly declare what secrets/config are necessary and where they are read from.
Persistence & Privilege
The skill does not request always:true, has no install spec that writes persistent files on its own in the registry metadata, and does not claim to modify other skills or system-wide agent settings. Autonomous invocation remains possible (default), but that is normal and not in itself an extra privilege here.
What to consider before installing
Before installing or using this skill: (1) Verify the npm package @kaspacom/defi-mcp exists on the public registry and inspect its source repository (look for README, owner, recent commits, and absence of suspicious install scripts). (2) Do NOT run buy/sell commands until you know how the CLI signs transactions — ask the author which environment variables or wallet files are required and where private keys are stored or prompted for. (3) Prefer testing read-only commands first and run any install in an isolated environment or container. (4) If you must provide keys, use a limited-purpose account with minimal funds and hardware-backed keys where possible. (5) Additional information that would change this assessment: a published package homepage/repo, a manifest showing required env vars (e.g., PRIVATE_KEY, RPC_URL), or explicit instructions on safe key handling and network endpoints.

Like a lobster shell, security has layers — review code before you run it.

kaspavk97bvfphpdvmnhf5e04sq5fyqn84rmjzlatestvk97bvfphpdvmnhf5e04sq5fyqn84rmjzlaunchpadvk97bvfphpdvmnhf5e04sq5fyqn84rmjzlfgvk97bvfphpdvmnhf5e04sq5fyqn84rmjzmcpvk97bvfphpdvmnhf5e04sq5fyqn84rmjz
70downloads
0stars
1versions
Updated 2w ago
v0.1.0
MIT-0
@marciano147
kaspalatestlaunchpadlfgmcp
Download

KaspaCom LFG MCP

Focused skill for KaspaCom LFG Launchpad via MCP/CLI.

Install

npm i -g @kaspacom/defi-mcp

Read-only examples

kaspacom-defi getActiveLaunches --network kasplex
kaspacom-defi getProtocolInfo --network kasplex

Transaction examples

kaspacom-defi buyLaunchToken --token 0xTOKEN --amountIn 100 --network kasplex
kaspacom-defi sellLaunchToken --token 0xTOKEN --amountIn 1000000 --network kasplex

Best for

  • Active launch discovery
  • Bonding curve token access
  • Launchpad buy/sell flows
  • AI-agent launchpad integrations

Comments

Loading comments...