solana-bundler-sniper-volume-bot

v1.0.2

Manage Solana wallets, launch tokens, run coordinated buys, volume bots, and wallet operations via gank.dev trading terminal API.

⭐ 0· 572·0 current·0 all-time

by@pissdart

Security Scan

VirusTotal

Suspicious

View report →

OpenClaw

Suspicious

medium confidence

ℹ

Purpose & Capability

The SKILL.md and examples are consistent with a 'gank' trading terminal that uses a GANK_API_KEY to call https://gank.dev/api/v2 endpoints for launches, swarm buys, volume bots, wallet transfers, vamp-all (drain), and privacy swaps. That functionality is coherent with the skill's name and description. However, the registry metadata at the top of the submission claims no required env vars/credentials while the included skill.json and SKILL.md clearly require a GANK_API_KEY — this metadata mismatch is an inconsistency that reduces trust in provenance.

Instruction Scope

Runtime instructions direct the agent to perform highly sensitive actions: draining wallets (vamp-all), coordinated multi-wallet buys/sells, and 'clean funds' privacy swaps (SOL→BNB/ETH→SOL). These are within the stated purpose but are high-risk: they grant the API key effective control of funds and can be used for laundering or theft. The docs instruct not to store the reserved mint keypair and to avoid exposing the API key in logs/LLM context, but there is nothing preventing an agent from accidentally logging or including sensitive IDs/keys in model prompts or external destinations if not carefully sandboxed.

✓

Install Mechanism

This is an instruction-only skill (no install spec, no code files to execute). That lowers direct filesystem/remote-code risk — the agent will make network calls to the documented API rather than install arbitrary binaries. However, network calls to an external service are still an operational risk when combined with sensitive credentials.

Credentials

The skill requires a single API secret (GANK_API_KEY) which is proportionate to making authenticated API requests but is extremely sensitive: it appears to grant actions that move and drain funds and perform privacy swaps. The registry metadata provided to you claims no required env vars, but skill.json and SKILL.md require GANK_API_KEY and mark it secret — this inconsistency is suspicious. Examples also reference reading credentials from ~/.openclaw/openclaw.json, which means an agent implementation might pull creds from local config files if configured; that increases the chance of accidental exposure.

✓

Persistence & Privilege

The skill does not request persistent installation, always:false, and there is no code to modify other skills or system-wide settings. The agent would only call external APIs at runtime. Autonomous invocation is allowed by default (normal for skills) — combine this with the high-risk nature of the API key and operations before enabling autonomous runs.

What to consider before installing

This skill documents an API that can control wallets, launch tokens, run swarm buys, drain wallets, and perform privacy swaps. Before installing: 1) Verify provenance — the registry metadata here is inconsistent (top-level said no credentials/homepage but skill.json points to gank.dev and a GitHub repo); only proceed if you trust gank.dev and the skill author. 2) Treat GANK_API_KEY as highly sensitive — it can move funds. Use a throwaway/test key with no real funds first. 3) Disable autonomous invocation or restrict the skill to manual/user-invoked use until you confirm behavior. 4) Do not expose the API key in LLM prompts, logs, or stored launch configs; prefer platform secret storage. 5) Audit any agent logs/output for accidental leaks (reserved mint keypair, wallet addresses, tx signatures). 6) Consider legal/ethical risk: coordinated buys, token launches, wallet-draining and 'clean funds' features may violate laws or platform policies in some jurisdictions. If you cannot verify the skill's source and the API provider, do not install it with real funds or privileged credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk97danrh5r1shsh32xvqgyh2q981kf1c

572downloads

0stars

3versions

Updated 7h ago

v1.0.2

MIT-0

gank — solana trading terminal for agents

gank is a multi-wallet solana trading terminal. launch tokens on pump.fun, run swarm buys, volume bots, copy trades, manage wallets. we literally have the most toxic platform atm and now your agents can take full advantage of it lol.

base url: https://gank.dev/api/v2

auth: Authorization: Bearer <GANK_API_KEY>

get your key at gank.dev > settings > api keys. keys start with pb_.

errors always come back as { "success": false, "error": "..." }.

wallet types

gank uses typed wallets. each type is locked to its module — don't mix them up.

type	what it's for
`dev`	launching tokens (pump.fun creator wallet)
`regular`	buying/selling, transfers
`bundle`	bundle buys at launch
`snipe`	sniping new launches
`swarm`	coordinated multi-wallet buys
`volume`	volume bot
`pug`	privacy protocol — clean funds via bnb/eth swap

wallets

list your wallets

GET /wallets/user

returns everything grouped by type.

{
  "dev": [{ "id": 1, "wallet_address": "...", "label": "main dev" }],
  "regular": [...],
  "swarm": [...],
  "volume": [...]
}

wallet balance

GET /wallets/{id}/balance

batch balances

POST /wallets/balances
{ "addresses": ["addr1...", "addr2..."] }

positions (all token holdings)

GET /user/positions

search tokens

GET /search?q=pepe&limit=10

launching a token

three steps: reserve mint → upload image → launch.

1. reserve a vanity mint (optional but worth it)

POST /launch/reserve-mint

gives you a ...pump address upfront. the keypair field is the mint keypair (token contract address keypair, not a wallet private key), pass it straight to /launch as reserved_mint_keypair. don't store it beyond that.

{ "success": true, "address": "AbcD...pump", "keypair": "base58..." }

2. upload image + metadata to ipfs

POST /ipfs/upload
Content-Type: multipart/form-data

fields: file, name, symbol, description, twitter, telegram, website

{ "success": true, "metadata_uri": "https://ipfs.io/ipfs/Qm..." }

3. launch

POST /launch

{
  "token_name": "my token",
  "token_ticker": "MTK",
  "metadata_uri": "https://ipfs.io/ipfs/Qm...",
  "dev_wallet_address": "DevWallet...",
  "dev_buy_sol": 0.5,
  "jito_tip": 0.0003,
  "reserved_mint_keypair": "base58_from_step1",
  "regular_wallets": [
    { "wallet_address": "Wallet1...", "amount": 0.1 },
    { "wallet_address": "Wallet2...", "amount": 0.2 }
  ],
  "bundle_groups": [
    {
      "block_target": 1,
      "wallets": [{ "wallet_address": "BundleWallet1...", "amount": 0.05 }]
    }
  ],
  "sniper_wallets": [
    { "wallet_address": "SnipeWallet1...", "amount": 0.1, "block_target": 2 }
  ]
}

{ "success": true, "launch_id": "uuid", "token_mint": "...", "tx_signature": "..." }

check launch status

GET /launch/{launch_id}

launch history

GET /launch/history?limit=20

save a launch config/preset

PUT /launch/configs
{ "name": "my template", "config": { ...launch_params... } }

buy & sell

buy

POST /phases/regular/buy

{
  "wallet_address": "RegularWallet...",
  "token_mint": "TokenMint...",
  "amount_sol": 0.1,
  "slippage_bps": 500
}

sell

POST /phases/regular/sell

{
  "wallet_address": "RegularWallet...",
  "token_mint": "TokenMint...",
  "sell_percentage": 100,
  "slippage_bps": 500
}

swarm

swarm = hit a token from multiple wallets at the same time. useful for coordinated entries.

swarm buy

POST /phases/swarm/buy

{
  "token_mint": "TokenMint...",
  "wallets": [
    { "wallet_address": "SwarmWallet1...", "amount_sol": 0.05 },
    { "wallet_address": "SwarmWallet2...", "amount_sol": 0.1 }
  ],
  "slippage_bps": 500
}

swarm sell

POST /phases/swarm/sell

{
  "token_mint": "TokenMint...",
  "wallets": ["SwarmWallet1...", "SwarmWallet2..."],
  "sell_percentage": 100,
  "slippage_bps": 500
}

consolidate sol back to one wallet

POST /phases/swarm/consolidate
{ "source_wallets": ["..."], "destination_wallet": "MainWallet..." }

recover (emergency drain — sells everything, sweeps sol)

POST /phases/swarm/recover
{ "source_wallets": ["..."], "destination_wallet": "MainWallet..." }

volume bot

start

POST /phases/volume/start

{
  "token_mint": "TokenMint...",
  "wallet_addresses": ["VolumeWallet1...", "VolumeWallet2..."],
  "sol_per_trade": 0.001,
  "duration_minutes": 60,
  "intensity": "medium"
}

intensity: "low" | "medium" | "high"

returns { "success": true, "session_id": "uuid" }

stop

POST /phases/volume/stop
{ "session_id": "uuid" }

wallet ops

transfer sol

POST /wallets/transfer
{ "from_wallet": "...", "to_wallet": "...", "amount_sol": 1.0 }

split sol (1 → many, max 50 targets)

POST /wallets/split
{
  "source_wallet": "...",
  "targets": [
    { "address": "Wallet1...", "amount_sol": 0.1 },
    { "address": "Wallet2...", "amount_sol": 0.2 }
  ]
}

vamp all (drain wallets — sells tokens, closes accounts, sweeps sol)

POST /wallets/vamp-all
{ "source_wallets": ["Wallet1...", "Wallet2..."], "destination_wallet": "MainWallet..." }

clean funds (privacy swap — sol→bnb→sol or sol→eth→sol, ~5 min)

two routes available: bnb (BSC, default) or eth (Arbitrum). source and destination must match 1:1 — use fresh destination wallets.

get a quote first:

POST /wallets/clean-funds/quote
{ "amount_sol": 1.0, "route": "bnb" }

initiate:

POST /wallets/clean-funds
{ "source_wallets": ["Wallet1..."], "destination_wallets": ["FreshWallet1..."], "route": "bnb" }

route: "bnb" (default) | "eth" — xmr is not available.

check status:

GET /wallets/clean-funds/status

sniping at launch

sniping is only available at launch time via sniper_wallets in the /launch payload — see the launch section above. standalone auto-snipe is not available.

market data

token info (price, mcap, volume, holders, bonding curve %)

GET /token/{mint}

ohlcv chart

GET /market/chart/{mint}?limit=500&timeframe=5

timeframe is in minutes.

holders

GET /market/holders/{mint}?limit=20

recent trades

GET /market/trades/{mint}?limit=30

referrals & stats

your stats (points, level, exp, trades, volume)

GET /auth/user-stats

referral stats (tier, l1/l2/l3 counts, earnings, claimable sol)

GET /user/referrals

claim earnings (pays to your payout wallet)

POST /user/referrals/claim

leaderboard

GET /user/leaderboard/points?limit=50
GET /user/leaderboard/referrals?limit=50

fee preferences

GET /fees/preferences
POST /fees/preferences

{
  "fee_mode": "manual",
  "priority_fee_max_sol": 0.001,
  "jito_tip_max_sol": 0.0005
}

fee_mode: "auto" | "manual"

how to use this

launching a token:

reserve mint → upload image to ipfs → POST /launch → poll GET /launch/{id}

coordinated buy:

check balances → POST /phases/swarm/buy → GET /user/positions

recovering funds:

POST /wallets/vamp-all  (sells everything + sweeps sol)
or
POST /wallets/clean-funds  (privacy swap via bnb/eth, ~5 min)

notes

api keys start with pb_ — don't log them, don't put them in prompts
wallet private keys are encrypted server-side, the api never gives them back
reserve-mint returns a mint keypair (the token's contract address keypair, not a wallet key), pass it to /launch as reserved_mint_keypair and discard after use
sol amounts are in sol, not lamports
slippage is in basis points — 500 = 5%
sniping only works at launch time via sniper_wallets in /launch — no standalone auto-snipe
clean funds routes: bnb (BSC) or eth (Arbitrum) — xmr is disabled
the platform fee wallet is protected, you can't accidentally send to it

config

~/.openclaw/openclaw.json:

{
  "skills": {
    "entries": {
      "gank": {
        "enabled": true,
        "apiKey": "pb_your_key_here"
      }
    }
  }
}

or just set GANK_API_KEY in env.

gank.dev · dm @pissdart on x or tg if something's broken

Comments

Loading comments...