Blowfish Launch
v1.0.0Launch, deploy, and manage Solana tokens via Blowfish Agent API, including status checks and claiming accrued trading fees.
⭐ 1· 615·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, SKILL.md, and script all describe launching tokens via the Blowfish Agent API and the included script implements that workflow. That capability is coherent with the stated purpose. However, the registry metadata claims no required environment variables or binaries, while both SKILL.md and scripts/blowfish-launch.ts require a WALLET_SECRET_KEY env var and Node/Bun runtime + certain JS libraries. The missing declaration of the wallet secret in the metadata is an inconsistency and should be justified or fixed.
Instruction Scope
The SKILL.md and the bundled script are narrowly scoped to: read WALLET_SECRET_KEY, perform a wallet-based challenge/verify with api-blowfish.neuko.ai, POST launch parameters, poll status, and optionally call claim endpoints. They do not ask to read unrelated system files. The concern is that the instructions explicitly require the wallet private key (WALLET_SECRET_KEY) and will transmit signatures and JWT-authenticated requests to an external service — behavior that is expected for launching tokens but sensitive and not declared in registry metadata.
Install Mechanism
There is no install spec (instruction-only plus a script), so nothing will be automatically downloaded or written by an installer. This is low-risk from an install mechanism perspective. The script expects Node.js/Bun and some npm packages but does not install them itself.
Credentials
The script requires WALLET_SECRET_KEY (a full ed25519 private key) to be provided via an environment variable, but the skill metadata lists no required env vars or primary credential. This mismatch is a red flag. The API issues a JWT with scope ["read","trade"] per references/api.md, which implies the authenticated token could permit trading or other account actions — further increasing sensitivity of the private key. No other unrelated secrets are requested, which is appropriate, but the omission from metadata and the sensitivity of the key justify caution.
Persistence & Privilege
The skill does not request permanent presence (always: false) and does not modify other skills or system-wide agent settings. Autonomous invocation is enabled by default (disable-model-invocation: false), which is normal; combine that with the required wallet key only if you trust the skill and operator.
What to consider before installing
This skill implements its stated purpose (launching Solana tokens) and the script legitimately needs a wallet private key to sign authentication challenges. However: (1) the registry metadata does not declare the WALLET_SECRET_KEY env var or the runtime dependencies — ask the publisher to update metadata to accurately list required env vars and runtime. (2) The source and homepage are unknown; verify the operator (api-blowfish.neuko.ai) and confirm you trust them before exposing any private key. (3) Because a JWT scope includes "trade", a compromised key could enable trading/claims — never use your primary/mainnet wallet. Test with a throwaway wallet that holds minimal funds and rotate keys after testing. (4) Prefer providing keys from an ephemeral environment (not a long-lived system env that other skills or processes can read), and review network traffic or the service's documentation if possible. (5) If you need higher assurance, ask the publisher for a provenance link (Git repo, homepage, maintainers), or request that the registry metadata be corrected to list WALLET_SECRET_KEY and runtime requirements before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk970zpzy63an7zprtwyve5a0b9815pg2
License
MIT-0
Free to use, modify, and redistribute. No attribution required.