ClawHub

Pump Fun

v1.0.1

Buy, sell, and launch tokens on Pump.fun using the PumpPortal API

4· 2.2k·3 current·5 all-time
byPlayda@playdadev
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The skill's purpose (buy/sell/launch tokens on Pump.fun) legitimately requires access to a Solana private key, which the SKILL.md declares (SOLANA_PRIVATE_KEY). However the top-level registry 'Requirements' section lists no required env vars while the SKILL.md metadata requires SOLANA_PRIVATE_KEY — an inconsistency that needs clarification.
!
Instruction Scope
The SKILL.md instructs the agent to use a private key from SOLANA_PRIVATE_KEY and claims transactions are signed locally (expected for this purpose), but it also tells the user to run `cd {baseDir}` and `npm install` even though this skill is instruction-only and there are no code files or package manifest included. The instructions give broad discretion about RPC endpoint and local signing without showing where code runs, which is ambiguous and risky for a key-bearing workflow.
!
Install Mechanism
There is no install spec and no code files, yet the SKILL.md tells the user to run `npm install` in a baseDir. That discrepancy is suspicious: either required code is missing from the package, or the instructions expect downloading/running external code at runtime (not documented). Both situations increase risk because you don't know what would be installed or executed.
!
Credentials
Requiring a single sensitive secret (SOLANA_PRIVATE_KEY) is proportionate to trading on Solana, but exposing that key to an agent or putting it in an environment variable is high risk. The registry metadata omission of this required env var is inconsistent and makes it unclear whether the platform will prompt for or protect the key. No additional unrelated credentials are requested.
Persistence & Privilege
The skill is not always-enabled and does not request elevated or persistent platform privileges. Autonomous invocation is allowed by default but is not, by itself, an additional risk here — the main concern is what happens when the skill is invoked and given a private key.
What to consider before installing
This skill needs your Solana private key to operate. Before installing or using it: (1) do not export your main wallet key — use a dedicated, funded-with-minimal-SOL wallet or a signing-only/hardware wallet; (2) ask the publisher for source code or a package manifest (package.json) and a clear install spec — the SKILL.md's `npm install` instruction is inconsistent with the package containing no code; (3) verify the PumpPortal API endpoints and confirm where transactions are signed and whether any network requests might transmit your key; (4) prefer solutions that use an external signer (wallet adapter, hardware wallet, or walletconnect) rather than supplying a raw private key in an environment variable; (5) if you proceed, test with trivial amounts first and monitor transactions from the wallet. If the publisher cannot provide code, a reproducible install, and clear assurance that the private key is never transmitted off your device, treat the skill as unsafe to use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97bct9q4mtqvapze4e956jn5s80jcr3
2.2kdownloads
4stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
Playda@playdadev
latest
Download

Pump.fun Trading Skill

This skill enables trading and launching tokens on Pump.fun through the PumpPortal API.

Commands

Buy Tokens

Buy tokens on Pump.fun by specifying the token mint address and amount.

Usage: /pump-buy <mint_address> <amount_sol> [slippage]

Examples:

  • /pump-buy 7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU 0.1 - Buy 0.1 SOL worth of tokens
  • /pump-buy 7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU 0.5 15 - Buy with 15% slippage

Sell Tokens

Sell tokens on Pump.fun by specifying the token mint address and amount.

Usage: /pump-sell <mint_address> <amount|percentage> [slippage]

Examples:

  • /pump-sell 7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU 1000000 - Sell 1,000,000 tokens
  • /pump-sell 7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU 100% - Sell all tokens
  • /pump-sell 7xKXtg2CW87d97TXJSDpbD5jBkheTqA83TZRuJosgAsU 50% 10 - Sell 50% with 10% slippage

Launch Token

Create and launch a new token on Pump.fun.

Usage: /pump-launch <name> <symbol> <description> [dev_buy_sol]

Examples:

  • /pump-launch "My Token" MTK "A revolutionary token" 1 - Launch with 1 SOL dev buy
  • /pump-launch "Cool Coin" COOL "The coolest coin ever" - Launch with default dev buy

Configuration

Required Environment Variables

  • SOLANA_PRIVATE_KEY - Your Solana wallet private key (base58 encoded)

Optional Environment Variables

  • SOLANA_RPC_URL - Custom RPC endpoint (defaults to public mainnet)
  • PUMP_PRIORITY_FEE - Priority fee in SOL (default: 0.0005)
  • PUMP_DEFAULT_SLIPPAGE - Default slippage percentage (default: 10)

Setup

  1. Install dependencies:

    cd {baseDir}
npm install

  2. Set your environment variables:

    export SOLANA_PRIVATE_KEY="your-base58-private-key"

  3. (Optional) Configure custom RPC:

    export SOLANA_RPC_URL="https://your-rpc-endpoint.com"

Security Notes

  • Never share your private key
  • Use a dedicated trading wallet with limited funds
  • Start with small amounts to test
  • The skill uses the Local Transaction API for maximum security (transactions are signed locally)

Fees

  • PumpPortal charges a 0.5% fee per trade
  • Standard Solana network fees apply
  • Priority fees are configurable

Supported Pools

The skill automatically selects the best pool, but supports:

  • pump - Pump.fun bonding curve
  • raydium - Raydium AMM (for graduated tokens)
  • pump-amm - Pump.fun AMM
  • auto - Automatic pool selection (default)

Comments

Loading comments...