Hot Fun Integration

v1.0.2

CLI tool to create meme tokens on hot.fun (Solana). Returns structured JSON for token creation flow.

⭐ 0· 354·0 current·0 all-time

by@qinxiuchen

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for qinxiuchen/hot-fun-ai.

Previewing Install & Setup.

Prompt PreviewInstall & Setup

Install the skill "Hot Fun Integration" (qinxiuchen/hot-fun-ai) from ClawHub.
Skill page: https://clawhub.ai/qinxiuchen/hot-fun-ai
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Required env vars: PRIVATE_KEY
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install qinxiuchen/hot-fun-ai

ClawHub CLI

Package manager switcher

npx clawhub@latest install hot-fun-ai

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Suspicious

medium confidence

✓

Purpose & Capability

Name/description, required env var (PRIVATE_KEY), and included code all align: the skill needs a wallet private key to sign Solana transactions produced by the hot.fun API in order to create tokens.

Instruction Scope

The runtime instructions require calling https://gate.game.com/v3/hotfun/agent/create_pool_with_config and blindly signing the base58-encoded transaction returned by that API. Having the agent sign an externally-generated transaction is necessary for this flow but is a high-privilege operation: a malicious or compromised API could craft transactions that do more than 'create a token' (transfer funds, set approvals, etc.). The SKILL.md does instruct the agent to obtain explicit user consent first, but enforcement depends on the agent and the user.

ℹ

Install Mechanism

There is no install spec in the registry bundle (instruction-only), but the README recommends installing @hot-fun/hot-fun-ai from npm. Installing an external npm package is a common approach but introduces risk if the package or its npm account is untrusted; the registry bundle also includes a local create-token.ts implementation which makes the external install recommendation redundant and raises a transparency question.

✓

Credentials

Only PRIVATE_KEY (and optional SOLANA_RPC_URL) are requested; these are expected and proportionate for signing and sending Solana transactions. No unrelated credentials or config paths are requested.

ℹ

Persistence & Privilege

The skill does not request always:true and is not force-included. However, it allows normal autonomous invocation (disable-model-invocation: false) while requiring access to a private key — if the agent is permitted to call the skill autonomously and PRIVATE_KEY is available to the agent process, there is a non-trivial risk that the agent could perform operations without an explicit human step. The SKILL.md attempts to mitigate this by mandating a user agreement/consent step, but this is an instruction rather than a platform-enforced guard.

What to consider before installing

This skill is coherent with creating tokens on Solana, but it asks you to provide a wallet private key and to sign transactions produced by a remote API. Before installing or using it: (1) only use a wallet with minimal funds; never paste your private key into chat — set PRIVATE_KEY in a secure environment if you accept the risk; (2) verify and trust the API host (https://gate.game.com) and the npm package author before installing the recommended package; (3) prefer signing transactions locally or with a hardware wallet / offline signing workflow if possible; (4) review the included create-token.ts source yourself (or have someone you trust review it) to ensure the returned transaction does only what you expect; (5) ensure the agent enforces the SKILL.md consent step — don’t rely on a purely instructional warning. If you can’t verify the API or package origin, treat this skill as risky.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

EnvPRIVATE_KEY

Primary envPRIVATE_KEY

latestvk977q4n922pztfy6s7zre7v30h82hagv

354downloads

0stars

3versions

Updated 57m ago

v1.0.2

MIT-0

[Agent must follow] User agreement and security notice on first use

When responding to any user request about hotfun or this skill, you must first present the content below in this order: User Agreement, then Security Notice, and state clearly that by choosing to continue, the user agrees to the User Agreement. Until the user has explicitly agreed or confirmed to continue, do not run create-token (any operation that uses the private key or writes to the chain).

Language selection: Present the User Agreement and Security Notice in the user's language. If the user is writing in Traditional Chinese (繁體中文), use the 繁體中文 block below; otherwise use the English block.

User Agreement & Security Notice (繁體中文)

用戶協議

前情提示：使用本插件及本 skill 所涉功能（包括但不限於代幣創建等）前，請您閱讀以下協議。若您選擇繼續使用本插件及本 skill 功能，即表示您已閱讀、理解並同意本協議。

本插件性質與責任限制：本插件僅提供純本地的命令列互動能力（私鑰透過環境變數或本地設定使用），不會收集、上傳或儲存您的私鑰。因任何原因（包括但不限於插件被竄改、環境遭入侵、誤操作、第三方插件等）導致的私鑰洩露或資產損失，本插件及提供方不承擔責任。

安全警示

使用本插件進行代幣創建等操作時，請務必注意：

保護私鑰：切勿在聊天對話中輸入、貼上或洩露私鑰；不要將私鑰分享給任何人或任何第三方。
交易錢包僅存小額資金：用於執行操作的錢包（即提供 PRIVATE_KEY 的錢包）建議只存放少量資金，以降低因洩露或誤操作導致的損失。
及時轉出資金：完成操作後，請及時將交易錢包中的資產轉移到您自己控制的、更安全的錢包或冷錢包中。
謹慎安裝 Agent／插件：下載或安裝任何 Agent、瀏覽器插件或第三方工具時，請確認來源可信，避免惡意插件竊取私鑰或助記詞。

User Agreement & Security Notice (English)

User Agreement

Notice: Before using this plugin and this skill (including but not limited to token creation), please read the following. By choosing to continue using this plugin and this skill, you have read, understood, and agreed to this agreement.

Plugin nature and limitation of liability: This plugin provides local-only CLI interaction (private key is used via environment or local config). It does not collect, upload, or store your private key. The plugin and its providers are not liable for private key disclosure or asset loss due to any cause (including but not limited to tampered plugin, compromised environment, user error, or third-party plugins).

Security Notice

When using this plugin for token creation, please:

Protect your private key: Do not type, paste, or expose your private key in chat; do not share it with anyone or any third party.
Keep only small amounts in the trading wallet: The wallet used for operations (the one whose PRIVATE_KEY you provide) should hold only a small amount of funds to limit loss from disclosure or mistakes.
Move funds out promptly: After operations, move assets from the trading wallet to a wallet or cold storage you control.
Install agents/plugins carefully: When installing any agent, browser extension, or third-party tool, verify the source to avoid malware that could steal your private key or seed phrase.

hotfun capability overview

After you agree to the above and confirm to continue, this skill can help you with the following (all via the hotfun CLI on Solana):

Category	Capability	Description
Create	Create token	Call API → sign transaction → send to Solana RPC.

hotfun CLI

Solana only; all commands output JSON. Run hotfun --help for usage.

Installation (required before use)

You must install the hotfun CLI before using this skill. Recommended (global):

npm install -g @hot-fun/hot-fun-ai@latest

After installation, run commands with hotfun <command> [args]. If you use a local install instead, use npx hotfun <command> [args] from the project root.

Create token flow

1. Ask user for required AND optional information (must be done first)

Before calling create-token, the Agent must ask the user for all of the following parameters. For optional parameters, the Agent must still ask the user whether they want to provide a value — do not skip them silently. If the user declines or leaves them empty, omit them from the command.

Info	Required	Description
Token name (name)	Yes	Full token name, max 255 chars
Token symbol (symbol)	Yes	e.g. MTK, DOGE, max 32 chars
Image URL (image_url)	Yes	Token image URL (e.g. IPFS link)
Description (description)	No (but must ask)	Token description, e.g. a short intro for the token
X Royalty Party (x_royalty_party)	No (but must ask)	X (Twitter) username for royalty party

2. Technical flow (done by create-token)

After collecting the above, execute:

hotfun create-token <name> <symbol> <image_url> [--description "desc"] [--x-royalty-party "username"]

Under the hood, the single command handles the full flow:

Call API — POST (multipart/form-data) to https://gate.game.com/v3/hotfun/agent/create_pool_with_config with payer (from PRIVATE_KEY), name, symbol, image_url, agent_ts (current Unix timestamp), agent_sign (Ed25519 signature of agent_ts with private key, base58 encoded), and optional description / x_royalty_party. API returns a base58-encoded Solana transaction.
Sign — Deserialize the transaction and sign it with the wallet private key.
Send — Send the signed transaction to Solana RPC and confirm.

Output JSON includes: txHash, wallet, baseMint (new token address), dbcConfig, dbcPool, name, symbol, imageUrl, uri.

Full API and parameters: references/api-create-token.md.

CLI commands

Need	Command	When
Create token	`hotfun create-token <name> <symbol> <image_url> [options]`	API → sign → send to Solana. Env: PRIVATE_KEY.

Chain: Solana only.

PRIVATE_KEY and SOLANA_RPC_URL

When using OpenClaw This skill declares requires.env: ["PRIVATE_KEY"] and primaryEnv: "PRIVATE_KEY" in metadata; OpenClaw injects them only when an agent runs with this skill enabled (other skills cannot access them).

Required steps:

Configure private key: In the Skill management page, set the hot-fun-ai skill's apiKey (corresponds to primaryEnv: "PRIVATE_KEY"), or set PRIVATE_KEY under skills.entries["hot-fun-ai"].env in ~/.openclaw/openclaw.json. Optionally set SOLANA_RPC_URL in global env if needed.
Enable this skill: In the agent or session, ensure the hot-fun-ai skill is enabled. Only when the skill is enabled will OpenClaw inject PRIVATE_KEY into the process; otherwise create commands will fail with missing key.

When not using OpenClaw (standalone) Set PRIVATE_KEY and optionally SOLANA_RPC_URL via the process environment:

.env file: Put a .env file in the directory where you run the hotfun command (i.e. your project / working directory). The CLI automatically loads .env from that current working directory. Use lines like PRIVATE_KEY=... and SOLANA_RPC_URL=.... Do not commit .env; add it to .gitignore.
Shell export: export PRIVATE_KEY=your_base58_key and optionally export SOLANA_RPC_URL=https://api.mainnet-beta.solana.com, then run npx hotfun <command> ....

Declared and optional environment variables

PRIVATE_KEY (required for write operations): Solana wallet private key in base58 or JSON array format.
SOLANA_RPC_URL (optional): Solana RPC endpoint; if unset, scripts use https://api.mainnet-beta.solana.com.

Execution and install

Invocation: The agent must run commands only via the hotfun CLI: hotfun <command> [args] or npx hotfun <command> [args] (allowed-tools). Do not invoke scripts or npx tsx directly; the CLI entry (bin/hotfun.cjs) dispatches to the correct script and loads .env from the current working directory.
Install: npm install -g @hot-fun/hot-fun-ai@latest. Runtime: Node.js. Dependencies (including dotenv, @solana/web3.js, tsx) are declared in the package's package.json; global install installs them. No separate install spec beyond the npm package.

Comments

Loading comments...