ClawHub

4CHAD

v1.0.0

Launch meme tokens, trade Solana assets, and claim creator fees on 4chad.xyz - the autonomous AI agent trading platform

1· 1k·0 current·0 all-time
by@moskon1
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Stated purpose (launch tokens, trade, claim fees on Solana) reasonably requires a Solana private key and an API key — those appear in the SKILL.md. However the registry metadata you provided lists no required env vars or bins while the SKILL.md metadata claims SOLANA_PRIVATE_KEY, node, and curl. This mismatch (registry vs. SKILL.md) is an incoherence that should be resolved before trusting the skill.
!
Instruction Scope
Instructions tell the agent to download a signing script from https://4chad.xyz and run it with the private key passed as a command-line argument, submit signed transactions to the remote API, and curl many remote files into ~/.4chad/skills. These steps involve reading and using a private key, running external code fetched at runtime, and transmitting signed transactions to an external service — all expected for this functionality but high-risk if the remote code or endpoints are malicious or tampered with. Passing private keys as CLI args (node sign-transaction.js "$UNSIGNED_TX" "$SOLANA_PRIVATE_KEY") exposes keys via process lists and is poor security practice.
!
Install Mechanism
No formal install spec is in the registry, but SKILL.md recommends running multiple curl commands to fetch scripts and docs from 4chad.xyz into ~/.4chad/skills. Downloading and executing remote scripts at install/runtime is high-risk unless the source is verified and reproducible. The package also contains sign-transaction.js, yet the docs still instruct downloading it — this inconsistency (bundled file vs. external fetch) is suspicious.
!
Credentials
Requiring a SOLANA_PRIVATE_KEY and a 4CHAD_API_KEY is proportionate to the claimed functionality. However the registry metadata omitted these required env vars while SKILL.md includes them, and SKILL.md's metadata marks SOLANA_PRIVATE_KEY as primaryEnv. Combined with the fact the agent appears allowed to invoke the skill, giving the model runtime access to a private key is excessive unless explicit user consent and safeguards are present. Also the SKILL.md shows passing the private key on the command line, which increases exposure risk.
!
Persistence & Privilege
The skill is not marked always:true, which is good, but the registry flags for model invocation are unset (disable-model-invocation not set), meaning the model could autonomously call this skill. With a primaryEnv private key and scripts that sign and submit transactions, that combination could allow the model to initiate on-chain transactions without clear user confirmation. There is also an instruction to create ~/.4chad/skills and populate it with remote files, giving the skill a persistent footprint on disk.
What to consider before installing
Do not install or run this skill yet. Before proceeding, ask the publisher to: (1) reconcile registry metadata with SKILL.md so required env and binaries are explicit in the registry; (2) provide a verifiable, versioned, signed copy of the sign-transaction.js and other scripts (avoid curl-from-web install), and let you audit the code; (3) avoid patterns that expose private keys (never pass private keys on the command line; use a secure local keystore or hardware wallet); (4) require explicit user-confirmation for every transaction and set disableModelInvocation:true (or make the skill user-invocable only) so the model cannot autonomously sign/submit transactions; (5) publish a threat model / privacy statement explaining what user data is sent to 4chad.xyz. If you must test, do so with a throwaway wallet with minimal funds and after reviewing the signing script's source locally.

Like a lobster shell, security has layers — review code before you run it.

crypto solana trading token launch memecoinsvk97cm9yydvx8z81zdat06b46qx80pyh3latestvk97cm9yydvx8z81zdat06b46qx80pyh3

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🐸 Clawdis
Binsnode, curl
EnvSOLANA_PRIVATE_KEY
Primary envSOLANA_PRIVATE_KEY

SKILL.md

4chad 🐸

The Solana meme token launchpad where AI agents can autonomously launch tokens, trade assets, and claim creator fees.

Skill Files

FileURL
SKILL.md (this file)https://4chad.xyz/skill.md
LAUNCH.mdhttps://4chad.xyz/launch.md
TRADING.mdhttps://4chad.xyz/trading.md
FEES.mdhttps://4chad.xyz/fees.md
EXAMPLES.mdhttps://4chad.xyz/examples.md
skill.json (metadata)https://4chad.xyz/skill.json
sign-transaction.jshttps://4chad.xyz/sign-transaction.js

Install locally:

mkdir -p ~/.4chad/skills
curl -s https://4chad.xyz/skill.md > ~/.4chad/skills/SKILL.md
curl -s https://4chad.xyz/launch.md > ~/.4chad/skills/LAUNCH.md
curl -s https://4chad.xyz/trading.md > ~/.4chad/skills/TRADING.md
curl -s https://4chad.xyz/fees.md > ~/.4chad/skills/FEES.md
curl -s https://4chad.xyz/examples.md > ~/.4chad/skills/EXAMPLES.md
curl -s https://4chad.xyz/sign-transaction.js > ~/.4chad/skills/sign-transaction.js
curl -s https://4chad.xyz/skill.json > ~/.4chad/skills/skill.json

What is 4chad?

4chad is a Solana token launchpad with full AI agent support where:

  • Launch tokens on Meteora's Dynamic Bonding Curve (Easy & Advanced modes)
  • Trade any Solana asset using Jupiter's universal routing
  • Claim creator fees from tokens you've launched
  • No browser required - all transactions signed locally with your private key

As an autonomous agent, you can create and manage tokens, trade positions, and claim earnings -all programmatically via API.

🚀 Core Capabilities

  • Token Creation — Launch memes with PumpFun-style curves (85 SOL) or custom supply/targets
  • Universal Trading — Swap any Solana token via Jupiter v6 API
  • Fee Claiming — Earn 0.4% of trading volume + 95% locked LP after migration
  • Local Signing — Never send private keys over network (unsigned transaction pattern)

Prerequisites

  1. Solana wallet with private key - For signing transactions locally
  2. 4chad API key - Generate at https://4chad.xyz/api-keys or via signature verification
  3. SOL balance - For transaction fees and token creation (~0.02 SOL + costs)
  4. Node.js - For local transaction signing script
  5. curl & jq - For API requests and JSON parsing

Environment Variables

Store your credentials securely:

export SOLANA_PRIVATE_KEY="your_base58_private_key"
export 4CHAD_API_KEY="4chad_your_api_key"
export SOLANA_RPC_URL="https://api.mainnet-beta.solana.com"  # Optional

⚠️ Never commit private keys to version control or logs!

Quick Start

1. Generate API Key

First, generate an API key by signing a message with your wallet:

# Create signature message
TIMESTAMP=$(date +%s)
MESSAGE="4chad API Key Request\nTimestamp: $TIMESTAMP"

# Sign with your wallet (programmatically with @solana/web3.js)
# Then call the API:
curl -X POST https://4chad.xyz/api/v1/agent/keys/create \
  -H "Content-Type: application/json" \
  -d "{
    \"walletAddress\": \"YOUR_WALLET_ADDRESS\",
    \"signature\": \"BASE58_SIGNATURE\",
    \"message\": \"4chad API Key Request\\nTimestamp: $TIMESTAMP\",
    \"name\": \"Agent Key\"
  }"

Response:

{
  "success": true,
  "apiKey": {
    "key": "4chad_AbCdEf...",  // Save this - shown only once!
    "keyId": "uuid",
    "name": "Agent Key",
    "status": "active"
  }
}

💾 Save the API key - it's only shown once!

2. Download Transaction Signing Script

curl -O https://4chad.xyz/sign-transaction.js

This script signs transactions locally without sending your private key over the network.

3. Launch Your First Token

See LAUNCH.md for complete token creation guide.

Quick example (Easy Mode):

RESPONSE=$(curl -X POST https://4chad.xyz/api/v1/agent/token/create-transaction \
  -H "X-API-Key: $4CHAD_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "mode": "easy",
    "name": "My Token",
    "symbol": "TOKEN",
    "description": "First agent-launched token",
    "imageUrl": "https://example.com/image.png",
    "initialBuySOL": 0.1
  }')

UNSIGNED_TX=$(echo $RESPONSE | jq -r '.response.unsignedTransaction')
TOKEN_MINT=$(echo $RESPONSE | jq -r '.response.tokenMint')

# Sign locally with your private key
SIGNED_TX=$(node sign-transaction.js "$UNSIGNED_TX" "$SOLANA_PRIVATE_KEY")

# Submit to blockchain
curl -X POST https://4chad.xyz/api/v1/agent/transaction/submit \
  -H "X-API-Key: $4CHAD_API_KEY" \
  -H "Content-Type: application/json" \
  -d "{\"signedTransaction\": \"$SIGNED_TX\"}"

echo "Token created: $TOKEN_MINT"

4. Trade Tokens

See TRADING.md for complete trading guide.

5. Claim Fees

See FEES.md for fee claiming guide.

API Endpoints

4chad uses a single API base: https://4chad.xyz/api/v1

Agent Endpoints (require API key via X-API-Key header)

API Key Management:

EndpointMethodDescription
/agent/keys/createPOSTGenerate new API key (signature verification)
/agent/keys/listGETList your API keys with usage stats

Token Operations:

EndpointMethodDescription
/agent/token/create-transactionPOSTCreate unsigned token launch transaction

Trading:

EndpointMethodDescription
/agent/trade/quotePOSTGet swap quote (public, no auth)
/agent/trade/create-swapPOSTCreate unsigned swap transaction

Fee Management:

EndpointMethodDescription
/agent/fees/claim-transactionPOSTCreate unsigned fee claim transaction(s)

Transaction Submission:

EndpointMethodDescription
/agent/transaction/submitPOSTSubmit signed transaction to Solana

Helper Functions

Check API Usage

curl -X GET https://4chad.xyz/api/v1/agent/keys/list \
  -H "X-API-Key: $4CHAD_API_KEY"

Returns:

  • Total requests made
  • Total tokens created
  • Total trades executed
  • Rate limit status (1000 requests/hour)

Get Transaction Status

curl "https://api.mainnet-beta.solana.com" \
  -X POST \
  -H "Content-Type: application/json" \
  -d "{
    \"jsonrpc\": \"2.0\",
    \"id\": 1,
    \"method\": \"getTransaction\",
    \"params\": [
      \"TRANSACTION_SIGNATURE\",
      {\"encoding\": \"json\", \"maxSupportedTransactionVersion\": 0}
    ]
  }"

Security Best Practices

✅ DO:

  • Store private keys in environment variables or secure vaults
  • Sign transactions locally (never send private keys over network)
  • Use separate wallets for different strategies
  • Monitor API rate limits (1000 requests/hour per key)
  • Verify transaction results on-chain
  • Set appropriate slippage for volatile tokens

❌ DON'T:

  • Share API keys publicly
  • Hard-code private keys in scripts
  • Skip transaction verification
  • Ignore rate limit errors
  • Use production keys for testing

Rate Limits

  • 1000 requests per hour per API key
  • Counter resets hourly
  • Exceeding limit returns 429 status
  • Use /api/v1/agent/keys/list to check usage

Response Headers:

  • X-RateLimit-Remaining — Requests left
  • X-RateLimit-Reset — When limit resets (Unix timestamp)

Error Handling

Common errors and solutions:

429 Too Many Requests

  • Wait for rate limit to reset (check headers)
  • Consider using multiple API keys for high-frequency operations

401 Unauthorized

  • Verify API key is correct
  • Check if key is still active via /agent/keys/list

400 Bad Request

  • Validate all required parameters
  • Check token addresses are valid Solana addresses
  • Ensure amounts are in correct units (lamports, not SOL)

Transaction Failed

  • Check wallet has sufficient SOL balance
  • Increase slippage for volatile tokens
  • Verify blockhash hasn't expired (transactions valid for ~60 seconds)

Detailed Guides

GuideWhat You'll Learn
LAUNCH.mdToken creation with Easy & Advanced modes
TRADING.mdSwap any Solana token via Jupiter
FEES.mdClaim creator trading fees
EXAMPLES.mdComplete workflow examples (launch + trade + claim)

Your Human Can Ask Anytime

Your human can prompt you to interact with 4chad:

  • "Check my 4chad API usage"
  • "Launch a token called [name]"
  • "Trade my SOL for [token]"
  • "Claim my creator fees from 4chad"
  • "What's my wallet balance?"

You don't need to wait for a schedule — if they ask, do it!

Support & Links

Technical Details

  • Blockchain: Solana (mainnet-beta)
  • Token Standard: SPL Token (Meteora DBC)
  • DEX Integration: Jupiter v6 Swap API
  • Transaction Format: Versioned Transactions (v0) + Legacy
  • Signature Scheme: Ed25519
  • RPC: Configurable (default: https://api.mainnet-beta.solana.com)

Built for autonomous AI agents on Solana 🐸

Files

7 total
Select a file
Select a file to preview.

Comments

Loading comments…