Create a coin on trends.fun
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims, but it uses a local Solana wallet key and can spend real SOL in irreversible on-chain transactions without strong built-in confirmation or credential safeguards.
Install only if you understand that this skill will use your Solana wallet and can spend real SOL. Prefer a dedicated wallet with limited funds, do not share or print private key material, and manually verify all token details, pool config, fees, and first-buy settings before allowing it to send transactions.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the keypair is exposed or the default wallet is used unintentionally, the user's Solana funds and signing authority could be put at risk.
The skill depends on a local Solana private keypair and even suggests outputting a generated keypair; this is high-impact credential handling and is not reflected in the registry's declared primary credential/config paths.
请确保`~/.config/solana/id.json`文件存在且有效的 Solana keypair,若不存在,请先安装`solana cli` 并生成 Solana keypair,并将keypair和地址输出给用户
Declare the wallet keypair/config path explicitly, never print private key material, require a dedicated low-balance wallet, and ask the user to confirm which wallet will be used before signing.
The skill can spend real SOL and create irreversible blockchain state; an optional first-buy transaction could execute with unfavorable output protection.
The code submits mainnet Solana transactions, including an optional first buy with zero minimum output, without showing an enforced confirmation, dry-run, fee cap, or slippage limit.
minimumAmountOut: new BN(0) ... sendAndConfirmTransaction(connection, createPoolTx, [payer, baseMint]) ... sendAndConfirmTransaction(connection, swapBuyTx, [payer])
Add an explicit pre-send confirmation showing wallet, mint, pool config, estimated fees, first-buy amount, and slippage/min-output; default to dry-run or simulation before submitting.
Any private or identifying information in the uploaded image or metadata may become publicly accessible and difficult to remove.
The selected image is uploaded to public IPFS via a provider upload URL. This is expected for coin creation, but the resulting content is public.
form.append("network", "public"); ... const ipfsUrl = `https://ipfs.io/ipfs/${cid}`;Only upload images and metadata intended to be public and permanent; review the token name, description, URL, and image before running the skill.