ClawLaunch
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawLaunch appears to be a coherent crypto launch/trading integration, but it deserves review because it enables API-key-controlled on-chain token launches/trades and documents autonomous trading loops without clear built-in limits.
Only use this skill if you intentionally want an agent to interact with ClawLaunch crypto launch/trading APIs. Start with testnet or read-only/token-listing actions, use least-privileged API keys, require manual confirmation and wallet signing for every transaction, set firm spend and slippage limits, and never put sensitive information in on-chain memos.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly autonomous agent action could create tokens, prepare unsafe transactions, or sell an entire token balance if the user or agent signs the returned transaction.
The wrapper exposes high-impact financial operations, including token launch, buy, sell, and a sell-all path. Even where buy/sell return calldata, the workflow is intended for real on-chain transactions and the artifacts do not show mandatory user approval, budget limits, or token allowlists.
launch <name> <symbol> Launch a new token; buy <token> <wallet> <eth> Get buy transaction calldata; sell <token> <wallet> [amount] Get sell transaction calldata (omit amount to sell all)
Require explicit user confirmation for every launch, buy, and sell; set maximum ETH/token amounts and slippage limits; avoid sell-all unless specifically requested; and prefer testnet or read-only operations first.
If run unattended, an agent could keep evaluating and acting on tokens over time, potentially making repeated financial decisions without fresh user review.
The reference material documents long-running autonomous discovery/trading loops. The artifacts do not show these loops being installed or auto-started, but copying them would create persistent autonomous trading behavior.
Continuously discover new tokens and evaluate opportunities. ... while True: ... if evaluation['should_buy']: ... # Execute buy here
Do not run autonomous loops without explicit budgets, stop conditions, dry-run mode, logging, and manual approval for each trade.
A broadly scoped or leaked API key could let an agent or anyone with access to the key perform ClawLaunch operations within that key's permissions.
The API key is expected for this service, but it carries launch/trade authority. This sensitive credential requirement is not reflected in the registry credential fields.
"apiKey": "YOUR_API_KEY_HERE" ... "Your API key grants access to launch and trade operations."
Use least-privileged API keys, separate read/trade/launch scopes where possible, store keys with restrictive permissions, rotate keys if exposed, and avoid giving production trading keys to unattended agents.
Sensitive reasoning, private information, or misleading content placed in a memo could become permanently public and potentially influence later agent decisions.
The optional memo feature creates persistent public trade reasoning that can later be retrieved and read by other users or agents.
Memo is permanently stored on-chain in the transaction
Treat memos as public and irreversible; never include secrets, private data, or unreviewed agent reasoning in on-chain memo fields.