Outsmart Devving Coins
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill matches its stated purpose, but it uses an external CLI with a raw Solana private key to perform irreversible mainnet financial actions without clear approval or scoping safeguards.
Only install this if you understand the financial risk of launching tokens on Solana. Use a fresh low-balance wallet, verify the outsmart npm package and source code, and require the agent to show every transaction and get your explicit approval before signing anything on mainnet.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked with the wrong parameters or without careful review, the agent could create public blockchain assets or spend SOL in transactions that may be hard or impossible to undo.
These commands create a token, create a DEX pool, and add liquidity using real funds. The artifact does not pair these high-impact actions with explicit confirmation, spending limits, or rollback guidance.
outsmart create-coin --name "Token Name" ... outsmart create-pool --dex meteora-damm-v2 ... outsmart add-liq --dex meteora-dlmm --pool POOL --sol 0.5
Require an explicit user confirmation step before every mainnet transaction, show all parameters and estimated costs, and default to testnet or dry-run mode where possible.
Using a primary wallet private key could expose all funds and assets controlled by that wallet to mistakes, unsafe transactions, or package compromise.
The skill requires a raw wallet private key and a mainnet endpoint. A private key usually grants broad signing authority for the wallet, not just the specific launch operation.
"requires": { "bins": ["outsmart"], "env": ["PRIVATE_KEY", "MAINNET_ENDPOINT"] }Use only a dedicated low-balance burner wallet, avoid storing a primary private key in the agent environment, and prefer scoped wallet-signing flows over raw private keys.
A malicious or compromised package version could misuse the wallet key or submit unintended transactions.
The install spec pulls an external npm package without a version pin shown in the artifact. Because the skill also requires PRIVATE_KEY, that package becomes part of the wallet-signing trust boundary.
[0] node | package: outsmart | creates binaries: outsmart
Pin and audit the exact package version, verify its source against the homepage, review the CLI code before use, and avoid granting it access to high-value wallets.