Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
nadfun
v1.0.0Decentralized Monad token launchpad with bonding curve trading, token creation, real-time event streaming, and historical data querying via pure viem calls.
⭐ 4· 1.6k·3 current·3 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The SKILL.md and associated files describe a token launchpad (bonding curves, token creation, indexing, trading) and all referenced endpoints, ABIs, and RPCs match that purpose. Required binaries/env in registry metadata are empty but that is plausible for an instruction-only skill.
Instruction Scope
The runtime instructions include commands to curl documentation files from https://nad.fun into ~/.nadfun/skills and many code examples that require a private key (process.env.PRIVATE_KEY) and an API key (X-API-Key). The docs also show examples that print private keys in console (even though a security note advises not to). These instructions are within the domain of a blockchain wallet/launchpad skill but they ask the user/agent to fetch remote content and to handle sensitive secrets — which merits caution.
Install Mechanism
No formal install spec in the registry (instruction-only). The SKILL.md recommends curl commands that download files from nad.fun and write them to ~/.nadfun/skills. Downloading remote docs is expected for a docs-driven skill, but it writes content from an external host to disk — verify the domain before running.
Credentials
The skill documentation repeatedly references PRIVTE_KEY / NAD_API_KEY / session cookies for wallet login and API key management, which are necessary for creating tokens and signing transactions. However, the skill metadata declares no required environment variables or primary credential. This mismatch means the skill will functionally require sensitive secrets even though none are declared — users should not expose private keys/session cookies or paste them into untrusted environments.
Persistence & Privilege
The skill does not request always: true and does not include an install script that modifies other skills or agent-wide settings. It is instruction-only and will not persist code automatically beyond any files the user chooses to curl/save.
Assessment
This is an instruction-only NadFun integration guide (no code executed by the registry). Before running anything: 1) Do NOT run the curl commands blindly — inspect the remote URLs (https://nad.fun, https://dev-api.nad.fun, https://api.nadapp.net) in a browser first. 2) Never paste your real private key or session cookie into examples; use a throwaway/test key on testnet or a hardware wallet for signing. 3) When the docs ask for an API key or session cookie, create a scoped key with minimal permissions and set expiration/rotate it. 4) Avoid running examples that print private keys to logs. 5) If you plan to save downloaded files, keep them in a directory you control and review their contents before executing any scripts. If you want stronger assurance, request the publisher/site source code or host-signed releases (GitHub/official releases) instead of raw curl downloads.Like a lobster shell, security has layers — review code before you run it.
latestvk972e3ww4srew8s5x0cz8nhvdn80dkrw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.