Hot Fun Integration
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches its stated token-creation purpose, but it requires a Solana private key and signs a transaction built by a remote service, so it needs careful review.
Install only if you understand that this can sign real Solana transactions. Use a dedicated low-balance wallet, verify the npm package and version, do not paste your private key into chat, and prefer a version that previews or simulates the exact transaction before sending it.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running this with a funded wallet gives the skill the ability to sign irreversible Solana transactions from that wallet.
The CLI directly loads a Solana wallet secret key and uses it to authorize transactions.
const privateKey = process.env.PRIVATE_KEY; ... const keypair = loadKeypair(privateKey); ... tx.sign([keypair]);
Use only a low-balance burner wallet, never paste the private key into chat, and require clear transaction preview or simulation before signing.
If the remote API or installed CLI is compromised or returns an unexpected transaction, the wallet could sign actions beyond the user's visible token-creation parameters.
The tool obtains a serialized transaction from a remote API, deserializes it, signs it, and sends it to Solana without checking the transaction contents.
const res = await fetch(API_URL, { method: 'POST', body: formData }); ... const tx = VersionedTransaction.deserialize(txBytes); tx.sign([keypair]); ... connection.sendRawTransaction(tx.serialize(),Add transaction inspection, simulation, allowlisted program checks, displayed fees/asset changes, and explicit per-transaction approval before broadcasting.
A changed, typosquatted, or compromised npm package version could run different code than the reviewed artifacts while having access to the wallet key.
The documented setup installs a mutable latest-version global npm package for a tool that will handle PRIVATE_KEY, and the provided install specs do not pin or verify that package.
npm install -g @hot-fun/hot-fun-ai@latest
Pin an exact package version and integrity hash, publish a verifiable source/homepage, include a lockfile or install spec, and avoid global installs where possible.