ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

moonfun_sdk

v1.0.6

Python SDK for BSC enabling creation of AI-generated Meme tokens with stable minting and experimental token trading (buy/sell) features.

0· 552·0 current·0 all-time
by@moonnfunofficial
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Source files (auth, blockchain, image_api, platform, trading) align with the stated purpose of creating/trading BSC meme tokens with AI images. However the runtime metadata/registry says no required env vars or credentials while SKILL.md and code clearly require a PRIVATE_KEY (and optionally MOONFUN_IMAGE_API_URL). That mismatch is an integrity issue the reviewer should resolve.
!
Instruction Scope
SKILL.md instructs the agent/user to provide a PRIVATE_KEY and to send cryptographic signatures/address/timestamps to hosted services. The default image API endpoint is http://moonfun.site (plain HTTP) in multiple documents — sending signatures and addresses over unencrypted HTTP risks interception/replay during the allowed time window. The SDK claims private keys are never transmitted, and code signs messages locally, but signatures themselves (and timestamps/prompts) are transmitted and could be abused if intercepted within the replay window.
Install Mechanism
There is no high-risk install mechanism in the package metadata (no arbitrary remote downloads). The repository includes setup.py and standard requirements; dependencies are mainstream (web3, eth-account, requests/httpx). Minor inconsistency: the skill metadata indicated ‘instruction-only’ yet a full Python package is included — not a security risk but an administrative mismatch.
!
Credentials
Requesting a PRIVATE_KEY is proportionate to signing transactions, but the registry metadata omitted it. Additionally auth.py exposes a .private_key property that returns the raw key string — this API increases the chance the key could be accidentally read and transmitted by calling code. The default image API is HTTP (unencrypted), increasing risk even though private keys themselves are not sent.
Persistence & Privilege
The skill does not request always:true or any elevated system persistence. It does not declare writing to other skills' config or system-wide settings. No unusual privilege escalation was found in the included files.
What to consider before installing
This package implements its stated features, but review and caution are required before using with real funds or your primary wallet. Actionable steps: - Do not use your main wallet; create a dedicated disposable wallet with a small BNB balance for testing. - Expect to set PRIVATE_KEY (environment variable or parameter) — the registry metadata omitted this; confirm required envs before installing. - Replace the default image API URL (http://moonfun.site) with an HTTPS endpoint or self-host the image API to avoid sending signatures and addresses over plaintext HTTP. If you must use the default, inspect network traffic (mitmproxy) and be aware signatures could be observed/replayed within their time window. - Note auth.py exposes a .private_key property. If you or other code call that, the raw key becomes accessible in-process — avoid calling it and consider modifying the SDK to remove that accessor before use. - Audit the code paths that transmit data (image_api.py, platform.py) to confirm only signatures and addresses are sent and that timestamps/replay-windows match your threat model. - Prefer installing from reviewed source (pip install -e .) after inspecting the files, and run dependency scanners (safety, bandit). Start with minimal BNB and small test transactions. If you want, I can point out the exact lines that implement the .private_key accessor and the default HTTP endpoint and suggest minimal code changes (e.g., remove the accessor, require HTTPS) to reduce risk.

Like a lobster shell, security has layers — review code before you run it.

latestvk978bscvq80x9fkz7p16879bws81jwsa
552downloads
0stars
3versions
Updated 9h ago
v1.0.6
MIT-0
@moonnfunofficial
latest
Download

MoonfunSDK - BSC Meme Token Creation Tool

Professional Python SDK for creating and trading Meme tokens on Binance Smart Chain with AI-powered image generation.

Overview

MoonfunSDK enables automated creation of Meme tokens with AI-generated images on BSC. The SDK handles image generation, platform integration, and blockchain transactions through a simple Python interface.

Installation

pip install moonfun-sdk

Requirements:

  • Python 3.8+
  • BNB balance ≥ 0.011 (0.01 creation fee + gas)

Quick Start

import os
from moonfun_sdk import MoonfunSDK

# Initialize with private key
sdk = MoonfunSDK(private_key=os.getenv('PRIVATE_KEY'))

# Create Meme token
result = sdk.create_meme(prompt="A happy cat celebrating")

print(f"Token: {result['token_address']}")
print(f"View: https://moonn.fun/detail?address={result['token_address']}")

Core Features

Token Creation (Stable)

  • AI-generated meme images
  • Automatic title and symbol generation
  • One-function deployment to BSC
  • Integrated with MoonnFun platform

Token Trading (Experimental)

  • Buy tokens with BNB
  • Sell tokens for BNB
  • Automatic slippage handling
  • Balance queries

API Methods

create_meme()

sdk.create_meme(
    prompt: str,              # Meme description
    symbol: str = None,       # Auto-generated if None
    description: str = None   # Auto-generated if None
) -> dict

Returns:

  • token_address: Contract address
  • token_id: Platform token ID
  • tx_hash: Creation transaction hash
  • name: Token name
  • symbol: Token symbol
  • image_url: Hosted image URL

buy_token() / sell_token()

sdk.buy_token(token_address: str, bnb_amount: float, slippage: float = 0.1)
sdk.sell_token(token_address: str, amount: int, slippage: float = 0.1)

Balance Queries

sdk.get_balance()                           # Returns BNB balance
sdk.get_token_balance(token_address: str)   # Returns token balance (wei)

Configuration

Default Configuration

SDK comes pre-configured with hosted services:

  • Image API: Hosted service for AI generation
  • Platform: https://moonn.fun
  • BSC RPC: Public BSC dataseed node

No additional configuration needed for basic usage.

Custom Configuration

sdk = MoonfunSDK(
    private_key="0x...",
    image_api_url="https://custom-api.com",     # Optional
    platform_url="https://moonn.fun",           # Default
    rpc_url="https://bsc-dataseed.bnbchain.org" # Default
)

Environment Variables

Supported environment variables:

  • PRIVATE_KEY (required): Ethereum private key
  • MOONFUN_IMAGE_API_URL (optional): Custom image API endpoint

Security

Private Key Handling

Private keys are used locally only for:

  1. Transaction signing (via eth_account library)
  2. Message signing for authentication

Private keys are NEVER:

  • Transmitted over network
  • Stored to disk
  • Logged to console

Code Verification

Users can audit private key usage in source code:

  • auth.py: Local signing with eth_account
  • image_api.py: Sends only signature + address
  • platform.py: Sends only signature + address
  • blockchain.py: Local transaction signing via web3.py

Best Practices

# ✅ Use environment variables
sdk = MoonfunSDK(private_key=os.getenv('PRIVATE_KEY'))

# ✅ Use dedicated wallets
# Create new wallet for SDK operations only

# ❌ Never hardcode keys
sdk = MoonfunSDK(private_key="0x123...")  # Don't do this

Network Details

BSC Mainnet

Smart Contracts

  • Router: 0x953C65358a8666617C66327cb18AD02126b2AAA5
  • WBNB: 0xBB4CdB9CBd36B01bD1cBaEBF2De08d9173bc095c

All addresses are public and verifiable on BSCScan.

Gas Costs

  • Token creation: ~0.011 BNB (0.01 fee + 0.001 gas)
  • Buy/sell: ~0.0005-0.001 BNB per transaction

Error Handling

from moonfun_sdk import (
    InsufficientBalanceError,
    AuthenticationError,
    TransactionFailedError
)

try:
    result = sdk.create_meme("A funny cat")
except InsufficientBalanceError:
    print("Need more BNB (minimum 0.011)")
except AuthenticationError:
    print("Signature verification failed")
except TransactionFailedError:
    print("Blockchain transaction failed")

Hosted Services

The SDK uses these services:

  1. Image Generation API

    • Secured with cryptographic signatures
    • Balance-gated (minimum 0.011 BNB)
    • Timestamp-bound requests
    • Default endpoint: http://moonfun.site
    • Users can deploy custom instances

  2. MoonnFun Platform

  3. BSC Network

    • Public blockchain
    • Decentralized infrastructure

Dependencies

Core dependencies:

  • web3>=6.0.0 - Ethereum interaction
  • eth-account>=0.8.0 - Private key management
  • requests>=2.28.0 - HTTP client
  • httpx>=0.24.0 - Async HTTP client

All dependencies are widely used and audited libraries.

Building from Source

# Clone repository
git clone <repository-url>
cd moonfun-sdk/python

# Review source code
cat moonfun_sdk/auth.py        # Private key handling
cat moonfun_sdk/image_api.py   # API requests
cat moonfun_sdk/platform.py    # Platform integration

# Install from source
pip install -e .

Changelog

v1.0.6 (Current)

  • Token tag set to "Ai Agent"
  • Improved categorization

v1.0.5

  • Enhanced authentication mechanism
  • Optimized login flow

v1.0.4

  • Support for low-liquidity token selling
  • Trading marked as experimental

Troubleshooting

IssueSolution
InsufficientBalanceErrorAdd BNB (minimum 0.011)
AuthenticationErrorCheck private key format (needs 0x prefix)
TransactionFailedErrorIncrease slippage or check gas
RPCConnectionErrorTry different RPC endpoint

Resources

License

MIT License

Disclaimer

This SDK interacts with blockchain and requires real BNB. Users should:

  • Test with small amounts first
  • Use dedicated wallets
  • Review source code
  • Understand blockchain risks

Trading features are experimental and may have issues with new/low-liquidity tokens.

Comments

Loading comments...