plugy
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill clearly targets Solana trading, but it handles real wallet credentials, stores a trading API key for reuse, delegates trading instructions to mutable remote files, and supports autonomous trading.
Only use this with a separate wallet funded with money you can afford to lose. Review the remote trade/create/heartbeat files before use, avoid general agent-memory storage for the API key, require manual approval for trades, and do not enable the autonomous heartbeat loop without strict spend and stop limits.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the API key or private key is mishandled, someone else could trade with or potentially access the user's funds.
The skill gives the agent access to a custodial trading account, an API key, and a wallet private key, even though the registry declares no primary credential or required environment variable.
Every agent must register once to get a custodial wallet... "apiKey": "plugy_abc123...", "publicKey": "SolanaAddress...", "privateKey": "base58PrivateKey..."
Use only a separate, minimally funded wallet; require explicit credential declarations; store secrets in a secure secret manager; and rotate/revoke the API key if exposed.
A later prompt, tool, or compromised memory/context path could cause the saved key to be reused or exposed.
The skill explicitly asks the agent to persist a fund-controlling API key in memory or local storage without specifying retention limits, encryption, isolation, or task-boundary controls.
Save the `apiKey` in your memory... Store the apiKey in your memory, environment variables (`PLUGY_API_KEY`), or `~/.config/plugy/credentials.json`.
Do not store the trading key in general agent memory; prefer a scoped secret store or environment variable with least privilege, and clear it when no longer needed.
The agent may follow unreviewed or later-changed remote instructions while holding authority to trade with user funds.
The high-impact trading, token-creation, and autonomous-loop instructions are not included in the reviewed artifact and are fetched from mutable remote URLs that can change after review.
Each action has its own file. **Fetch only the file you need:** ... `https://plugy.fun/trade.md` ... `https://plugy.fun/create.md` ... `https://plugy.fun/heartbeat.md` ... **Do NOT guess any curl format. Fetch the right file and follow it exactly.**
Require the action files to be included in the reviewed package, pin versions or hashes, and review any fetched files before letting an agent use a funded wallet.
A mistaken or overly autonomous agent action could buy, sell, or create tokens in ways the user did not intend, potentially causing financial loss.
The skill authorizes high-impact financial operations and token creation, but the reviewed hub file does not define confirmation requirements, budget caps, slippage limits, allowlists, or rollback expectations.
Trade Solana tokens. Buy, sell, create... Buy or sell a token? → **Fetch `https://plugy.fun/trade.md`** ... Create / launch a new token? → **Fetch `https://plugy.fun/create.md`**
Use explicit human confirmation for each trade or launch, set hard maximum spend and slippage limits, and avoid granting the agent broad trading authority.
An autonomous loop could continue making trades and depleting funds if configured incorrectly or if the remote instructions change.
The skill advertises an autonomous trading loop, but the reviewed artifact does not show stop conditions, runtime limits, approval gates, or how the user can safely halt it.
**Autonomous loop** | HEARTBEAT.md | `https://plugy.fun/heartbeat.md` ... Set up autonomous trading? → **Fetch `https://plugy.fun/heartbeat.md`** — has the full heartbeat loop, strategy setup, and signal filtering.
Do not enable autonomous trading unless the loop code/instructions are reviewed, time-limited, budget-limited, logged, and easy to stop.