ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Create a coin on trends.fun

v1.0.1

在 trends.fun 上创建 coin 并部署 Meteora DBC 资金池

0· 683·1 current·1 all-time
bylewis@poploli2
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description match the implementation: the code talks to trends.fun APIs (siws/verify, upload_url, mint/upload_content), uploads an image to IPFS, mints a token and uses @meteora-ag/dynamic-bonding-curve-sdk to create a DBC pool. Declared binaries (pnpm) and optional env vars (SOLANA_RPC_URL, TRENDS_POOL_CONFIG) are appropriate for the stated purpose.
Instruction Scope
The SKILL.md and code explicitly read the user’s Solana keypair at ~/.config/solana/id.json, check SOL balance, sign SIWS messages and Solana transactions, upload images to trends.fun/Pinata, then create a DBC pool. These actions are expected for this workflow but are sensitive: the skill will use your private key to sign requests and transactions. Also note the SKILL.md text that suggests generating a keypair “并将keypair和地址输出给用户” — wording could be interpreted as encouraging exposing the private key; the code itself does not transmit the secret key, but the documentation phrasing is risky and should be clarified.
Install Mechanism
Install is a single, standard brew formula (pnpm). The package manifests (package.json/pnpm-lock/package-lock) point to public npm packages. No downloads from arbitrary URLs or extract-from-unknown-host steps are present in the install spec.
Credentials
No required credentials are declared; optional env vars (SOLANA_RPC_URL, TRENDS_POOL_CONFIG) are relevant. The code reads HOME to find ~/.config/solana/id.json (expected). No unrelated secrets or config paths are requested.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, nor asks for permanent system-wide changes. It runs ad-hoc and signs on behalf of the keypair provided at runtime.
Assessment
This tool legitimately needs access to your Solana keypair (~/.config/solana/id.json) so it can sign a login message and send transactions to create the token/pool. That is the main sensitive action — the code signs with your key but does not upload the secret key to remote servers. Before installing/running: (1) Review and trust the code or run it in an isolated environment; (2) never paste or send your private key to anyone — the docs’ wording about “outputting the keypair” is ambiguous and could be dangerous; (3) ensure you understand and accept the real SOL costs (transactions will spend SOL); (4) if you are unsure, create and use a throwaway/test Solana wallet with minimal funds for initial tests.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bck839vw55fkpn77b0vscms81q3af

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🪙 Clawdis
Binspnpm

Install

Install pnpm (brew)
Bins: pnpm
brew install pnpm

Comments