Skillv1.0.1

ClawScan security

Create a coin on trends.fun · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 23, 2026, 3:40 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill’s code, install steps, and runtime instructions are internally consistent with its stated purpose (creating a trends.fun coin and deploying a Meteora DBC pool); it requires the user’s Solana keypair to sign transactions and authenticate, which is expected for this functionality and is the primary sensitive action to be aware of.
Guidance: This tool legitimately needs access to your Solana keypair (~/.config/solana/id.json) so it can sign a login message and send transactions to create the token/pool. That is the main sensitive action — the code signs with your key but does not upload the secret key to remote servers. Before installing/running: (1) Review and trust the code or run it in an isolated environment; (2) never paste or send your private key to anyone — the docs’ wording about “outputting the keypair” is ambiguous and could be dangerous; (3) ensure you understand and accept the real SOL costs (transactions will spend SOL); (4) if you are unsure, create and use a throwaway/test Solana wallet with minimal funds for initial tests.

Review Dimensions

Purpose & Capability: okThe name/description match the implementation: the code talks to trends.fun APIs (siws/verify, upload_url, mint/upload_content), uploads an image to IPFS, mints a token and uses @meteora-ag/dynamic-bonding-curve-sdk to create a DBC pool. Declared binaries (pnpm) and optional env vars (SOLANA_RPC_URL, TRENDS_POOL_CONFIG) are appropriate for the stated purpose.
Instruction Scope: noteThe SKILL.md and code explicitly read the user’s Solana keypair at ~/.config/solana/id.json, check SOL balance, sign SIWS messages and Solana transactions, upload images to trends.fun/Pinata, then create a DBC pool. These actions are expected for this workflow but are sensitive: the skill will use your private key to sign requests and transactions. Also note the SKILL.md text that suggests generating a keypair “并将keypair和地址输出给用户” — wording could be interpreted as encouraging exposing the private key; the code itself does not transmit the secret key, but the documentation phrasing is risky and should be clarified.
Install Mechanism: okInstall is a single, standard brew formula (pnpm). The package manifests (package.json/pnpm-lock/package-lock) point to public npm packages. No downloads from arbitrary URLs or extract-from-unknown-host steps are present in the install spec.
Credentials: okNo required credentials are declared; optional env vars (SOLANA_RPC_URL, TRENDS_POOL_CONFIG) are relevant. The code reads HOME to find ~/.config/solana/id.json (expected). No unrelated secrets or config paths are requested.
Persistence & Privilege: okThe skill does not request always:true, does not modify other skills, nor asks for permanent system-wide changes. It runs ad-hoc and signs on behalf of the keypair provided at runtime.