ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Agent Gary AI Powered Memecoin trader.

Automates memecoin trading on Solana using fdv.lol CLI with Agent Gary's AI full control via a locally generated, user-configured profile.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 441 · 0 current installs · 0 all-time installs
bySpicy Home Renovation Reviews@build23w
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The declared purpose (headless memecoin trading with AI control) legitimately requires a wallet, RPC endpoint, Jupiter API key, and an LLM key. However, the skill's registry metadata lists no required env vars/credentials even though the SKILL.md explicitly requires multiple secrets. That mismatch (metadata claiming 'no required env vars' while runtime requires them) is an incoherence.
!
Instruction Scope
SKILL.md instructs the agent to generate/store a local wallet secret, collect RPC/Jupiter/LLM keys, write a profile.json with secrets, and run the fdv.lol CLI. The instructions say not to upload secrets, but they also instruct downloading and piping cli.mjs from remote locations and running it directly — which grants the remote script broad runtime authority. The instructions reference environment variable names that are not declared in the skill metadata.
!
Install Mechanism
There is no install spec, but the runtime instructions recommend curl -fsSL <url> | node — downloading and executing remote JS from fdv.lol or raw.githubusercontent.com. Running remote code piped into node is high-risk; while GitHub raw URLs are common, the primary domain (fdv.lol) is not a known package host and the practice bypasses local review unless the fetched script is inspected first.
!
Credentials
Although the skill metadata claims no required environment variables, the SKILL.md requires highly sensitive credentials: wallet.secret (private key), rpc.url, jupiter.apiKey, and an LLM API key (e.g., OPENAI_API_KEY). Requiring these secrets is proportionate to the trading purpose, but failing to declare them in the registry is a transparency problem and increases risk (agent will ask for secrets without the registry signaling it).
Persistence & Privilege
The skill is not always-enabled and does not request persistent system privileges in metadata. However, enabling 'Full AI Control' lets the runtime accept AI-authoritative trading decisions and perform irreversible on-chain transactions with the provided wallet. This is a high-impact capability (financial operations) even if it doesn't change system configuration.
What to consider before installing
This skill will ask you to provide very sensitive secrets (your wallet private key, an RPC URL, Jupiter API key, and an LLM API key) and then fetch and execute remote JavaScript to trade with those credentials. Before installing or running it: (1) Do not blindly pipe remote code into node — download and inspect cli.mjs (and prefer the GitHub source) and verify its integrity. (2) Require the skill author to update metadata to declare the required env vars/credentials so you know what's being requested. (3) Use a burner wallet and minimal funds for any tests; never supply a mainnet wallet with significant balance. (4) Consider running the CLI in an isolated/sandboxed environment or container and restrict network access where possible. (5) If you want the AI to run autonomously, understand that 'fullAiControl' lets the agent make irreversible trades — disable full AI control unless you accept that risk. (6) If you do proceed, supply only the minimum keys necessary, and prefer to clone the fdv.lol repo and run a checked copy of cli.mjs locally rather than executing a remote curl | node stream.

Like a lobster shell, security has layers — review code before you run it.

Current versionv0.1.0
Download zip
latestvk974was24zn4vcjtz44n70w08x819w5m

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

OpenClaw Skill: fdv.lol (CLI / Headless Memecoin Auto Trader)

This skill is for running fdv.lol CLI mode (cli.mjs) with Agent Gary Full AI Control enabled, so the AI can fully drive Auto Trader decisions.

Users must pre-configure a profile JSON (RPC + wallet + Jupiter + LLM).

This published skill bundle includes a safe profile template you can copy and fill in:

If you need to cross-check the upstream profile schema/examples, refer to the public repo:

Important: do not publish real wallet secrets or API keys inside an OpenClaw skill bundle. Use placeholder values like the example profile below.

ClawDBot contract:

  • It must create the real profile JSON locally at runtime (with secrets) and run the CLI against that local file.
  • It must not upload or publish the profile anywhere.

First Run (User Has No Secrets)

If a user installs this skill from ClawHub and has no RPC, API keys, or wallet secret yet, the only workable flow is an onboarding/wizard flow.

ClawDBot should do this:

  1. Generate a new local wallet (non-custodial): create a fresh Solana keypair and store its secret locally (not uploaded).
  2. Show the public address and instruct the user to fund it with a small amount of SOL.
  3. Collect or provision the remaining inputs:

  • RPC URL (mandatory)

    • Direct users to create an RPC endpoint here: https://quicknode.com/signup?via=lf
    • After signup, they must paste the Solana Mainnet RPC URL into the generated profile as rpc.url.

  • Jupiter API key (mandatory)

    • Users must get a FREE Jupiter API key here: https://portal.jup.ag/pricing
    • ClawDBot must refuse to start without it.
    • Paste it into the generated profile as jupiter.apiKey.

  • LLM API key (required for “Full AI Control”; OpenAI recommended)

    • Recommended provider: openai.
    • If the user has no OpenAI API key, direct them to create one and paste it into agentGaryFullAi.apiKey.
    • If no LLM key is provided, ClawDBot must refuse to start in Full AI Control mode.
  1. Write a complete ./profile.json with the gathered/generated values.
  2. Run the CLI against that local file.

Minimum hard requirements to actually trade headlessly:

  • wallet.secret (must exist; can be generated)
  • rpc.url (must be provided)
  • jupiter.apiKey (must be provided)

Minimum hard requirements for Full AI Control specifically:

  • agentGaryFullAi.apiKey (or platform-provided equivalent)
  • agentGaryFullAi.fullAiControl: true

What “Full Control” Means

fdv.lol’s Auto Trader has an AI assist mode (Agent Gary). When you enable:

  • agentGaryFullAi.enabled: true
  • agentGaryFullAi.fullAiControl: true

…the runtime sets fdv_agent_full_control=true, and the trading engine treats AI decisions as authoritative (it can bypass some “enforce” gates that would otherwise hard-block actions).

This is intentionally powerful. Use a burner wallet and small balances.

Required Inputs (Profile)

Your CLI run will only work if the profile includes:

  • RPC
    • rpc.url (or rpcUrl)
    • optional rpc.headers (or rpcHeaders)
  • Wallet (for signing swaps)
    • wallet.secret (or autoWalletSecret) required
    • optional wallet.recipientPub (or recipientPub)
  • Jupiter
  • Agent Gary Full AI
    • agentGaryFullAi.provider (openai|gemini|grok|deepseek)
    • agentGaryFullAi.model
    • agentGaryFullAi.riskLevel (safe|medium|degen)
    • agentGaryFullAi.enabled: true
    • agentGaryFullAi.fullAiControl: true
    • agentGaryFullAi.apiKey (or provide via env var)

Notes:

  • The CLI supports reading API keys from env vars too:
    • OpenAI: OPENAI_API_KEY or FDV_OPENAI_KEY
    • Gemini: GEMINI_API_KEY or FDV_GEMINI_KEY
    • Grok: XAI_API_KEY / GROK_API_KEY / FDV_GROK_KEY
    • DeepSeek: DEEPSEEK_API_KEY or FDV_DEEPSEEK_KEY

How To Run (CLI)

Assume you only have this skill directory (no local repo). ClawDBot should:

  1. Generate a local profile file (with sensitive values) at runtime (example filename: ./profile.json).
  2. Fetch cli.mjs.
  3. Run --run-profile pointing at the local profile file.

Primary (recommended) execution:

  • curl -fsSL https://fdv.lol/cli.mjs | node - run-profile --profile-url ./profile.json --log-to-console

Alternate fetch (directly from GitHub):

  • curl -fsSL https://raw.githubusercontent.com/build23w/fdv.lol/main/cli.mjs | node - run-profile --profile-url ./profile.json --log-to-console

Notes:

  • --profile-url accepts local paths too (like ./dev.json or ./profile.json).
  • You can also use --profiles ./profile.json for local files; both are supported.

Safe Example Profile

Upstream secret-free template (reference):

If you want an example that matches the prod profile shape but with placeholders (recommended for onboarding), use:

OpenClaw Operating Rules

When acting as “OpenClaw” in CLI mode:

  • Do not attempt to run without a fully populated profile.
  • Assume the user has explicitly granted full control when fullAiControl=true.
  • Do not print or persist secrets in logs.
  • Only change behavior by editing the profile (or documented env vars); don’t invent new flags.

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…