Hot Fun Integration
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: hot-fun-integration Version: 1.0.1 The skill provides a legitimate CLI tool for creating Solana meme tokens on the hot.fun platform. It follows security best practices by using the PRIVATE_KEY only for local transaction signing and authentication (via Ed25519 signature of a timestamp), ensuring the key is never transmitted to the external API (gate.game.com). The SKILL.md file includes mandatory security warnings and user consent requirements, and the code logic in scripts/create-token.ts is transparent and aligned with its stated purpose.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone running this with a funded wallet gives the skill the ability to sign irreversible Solana transactions from that wallet.
The CLI directly loads a Solana wallet secret key and uses it to authorize transactions.
const privateKey = process.env.PRIVATE_KEY; ... const keypair = loadKeypair(privateKey); ... tx.sign([keypair]);
Use only a low-balance burner wallet, never paste the private key into chat, and require clear transaction preview or simulation before signing.
If the remote API or installed CLI is compromised or returns an unexpected transaction, the wallet could sign actions beyond the user's visible token-creation parameters.
The tool obtains a serialized transaction from a remote API, deserializes it, signs it, and sends it to Solana without checking the transaction contents.
const res = await fetch(API_URL, { method: 'POST', body: formData }); ... const tx = VersionedTransaction.deserialize(txBytes); tx.sign([keypair]); ... connection.sendRawTransaction(tx.serialize(),Add transaction inspection, simulation, allowlisted program checks, displayed fees/asset changes, and explicit per-transaction approval before broadcasting.
A changed, typosquatted, or compromised npm package version could run different code than the reviewed artifacts while having access to the wallet key.
The documented setup installs a mutable latest-version global npm package for a tool that will handle PRIVATE_KEY, and the provided install specs do not pin or verify that package.
npm install -g @hot-fun/hot-fun-ai@latest
Pin an exact package version and integrity hash, publish a verifiable source/homepage, include a lockfile or install spec, and avoid global installs where possible.