ClawHub

Hot Fun Integration

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated purpose, but it uses your Solana private key to sign and broadcast a transaction supplied by an external API without locally showing or validating what that transaction does.

Install only if you understand that this can sign real Solana mainnet transactions. Use a fresh low-balance wallet, pin and verify the npm package, never enter your private key in chat, and inspect or simulate the transaction before broadcasting whenever possible.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Risk analysis

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

#
ASI02: Tool Misuse and Exploitation
High
What this means

If the API response or installed CLI package is compromised or unexpected, the wallet could sign and send an unintended Solana transaction, potentially spending funds or changing assets.

Why it was flagged

The code accepts a transaction built by the external hot.fun API, deserializes it, signs it with the user's wallet key, and broadcasts it without locally validating that the transaction only performs the requested token creation.

Skill content
const { transaction: txBase58, dbc_config, dbc_pool, base_mint, uri } = json.data; ... const tx = VersionedTransaction.deserialize(txBytes); tx.sign([keypair]); ... connection.sendRawTransaction(tx.serialize(), {
Recommendation

Use a dedicated low-balance wallet, verify the endpoint/package, and prefer tooling that simulates or displays the exact Solana transaction instructions before signing.

#
ASI03: Identity and Privilege Abuse
Medium
What this means

Any mistake, compromise, or malicious package running in the same environment could put funds in that wallet at risk.

Why it was flagged

The skill explicitly requires a raw Solana wallet private key from the environment, giving the CLI authority to sign wallet transactions.

Skill content
Env: PRIVATE_KEY (Solana wallet private key, base58 or JSON array) ... const privateKey = process.env.PRIVATE_KEY;
Recommendation

Never paste the key into chat, use a separate wallet with only the minimum funds needed, and remove or rotate the key after use.

#
ASI04: Agentic Supply Chain Vulnerabilities
Medium
What this means

A future or compromised package version could behave differently from the reviewed artifact while still receiving wallet authority.

Why it was flagged

The documented setup installs a globally available npm package at the moving @latest version; that package will handle wallet-signing operations.

Skill content
npm install -g @hot-fun/hot-fun-ai@latest
Recommendation

Pin and verify the npm package version, install from a trusted source, and avoid running unreviewed updates with a funded wallet key.