Prism Alerts
v1.1.2Real-time Pump.fun token alerts for Solana traders. New launches, graduations, volume spikes. For trading bots, Discord, Telegram, AI agents.
⭐ 1· 2k·0 current·0 all-time
byNext Frontier AI@nextfrontierbuilds
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (Pump.fun / Solana token alerts) aligns with the included script and examples: the bash script polls PRISM endpoints and the SKILL.md shows Telegram/Discord integration examples. However, the skill metadata declares no required env vars while SKILL.md documents TELEGRAM_BOT_TOKEN, DISCORD_BOT_TOKEN, channel IDs, and PRISM_URL — an inconsistency in what the package says it needs versus what instructions demonstrate. PRISM_URL defaults to a third‑party Railway app (strykr-prism.up.railway.app); that external service is central to the skill but the source/homepage are unknown.
Instruction Scope
SKILL.md and scripts stay within alerting functionality: polling PRISM API, formatting alerts, and sending to bots. The included watch loop stores seen tokens in /tmp/prism_seen_tokens.txt and polls every 30s. SKILL.md includes code examples that would transmit token data to Telegram/Discord channels (expected for alerts). Instructions do not direct the agent to read unrelated files or other credentials, but they do assume use of external messaging services (which require tokens).
Install Mechanism
No install spec — instruction-only plus a small shell script included. Nothing is downloaded from arbitrary URLs or written to unusual system locations by an installer. Risk from installation mechanism is low.
Credentials
The skill metadata lists no required env vars, but SKILL.md documents PRISM_URL, TELEGRAM_BOT_TOKEN, TELEGRAM_CHANNEL_ID, DISCORD_BOT_TOKEN, and DISCORD_CHANNEL_ID. Requiring messaging bot tokens is expected for integrations, but the metadata failing to declare them reduces transparency. Also the default PRISM_URL points to a third‑party hosted endpoint (Railway) — all alert/request data will flow through that service unless you change PRISM_URL. Requesting or entering bot tokens into code that communicates with an external (unknown) API increases risk of credential exposure if that service or its operator is untrusted.
Persistence & Privilege
always is false and the skill does not request elevated or persistent platform privileges. The script writes only a temporary /tmp/prism_seen_tokens.txt to deduplicate alerts. It does not modify other skills or system settings.
What to consider before installing
This skill appears to do what it says (poll a PRISM API and produce alerts), but exercise caution before supplying bot credentials or trusting the default PRISM endpoint. Things to check before installing or running:
- Verify the PRISM API: the default URL (strykr-prism.up.railway.app) is a third‑party host with no homepage provided; confirm the operator and trustworthiness. Consider self‑hosting or pointing PRISM_URL at a trusted endpoint.
- The package metadata does not declare the TELEGRAM/DISCORD env vars shown in the README. Expect to need your own TELEGRAM_BOT_TOKEN / DISCORD_BOT_TOKEN and channel IDs to send alerts — do not paste tokens into unknown web UIs; run the bot locally or in a controlled environment.
- Inspect and run the included scripts locally or inside a sandbox/container. The script only uses curl/jq and writes a dedupe file under /tmp, but network requests go to the PRISM service so review traffic if you are concerned about data leaving your environment.
- Prefer creating your own messaging bots and supply only those tokens. If you must use an external Prism provider, verify TLS, ownership, and privacy policy; avoid sharing credentials with unknown operators.
If you want a higher assurance verdict, provide: the upstream repository or homepage for the PRISM API and the skill, and confirmation of who operates the strykr-prism endpoint; with that info the assessment can move to benign if the operators are trustworthy.Like a lobster shell, security has layers — review code before you run it.
latestvk971s1k6v46y9vtefy87pnfffh80h6fw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.