Tokenized agents pump.fun
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent Solana payment-integration guide, but users should verify wallet prompts, RPC providers, and npm package provenance before using it.
This skill appears benign and purpose-aligned for building Solana payment flows. Before using it, verify that the npm packages and RPC providers are legitimate, keep private keys out of the app, and make sure every wallet transaction prompt matches the intended amount, currency, and network before signing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could pay with real SOL or USDC if they approve the wallet transaction.
The skill documents creating and submitting blockchain payment transactions. This is expected for the stated payment-flow purpose, but transactions can move real funds once the user signs.
Client reconstructs instructions, signs, and submits the transaction on Solana via `sendTransaction`.
Review wallet prompts carefully, confirm the amount, currency, recipient/program, and network before signing.
Connecting a wallet lets the app identify the wallet address and ask the user to approve payment transactions.
The integration connects to a user's Solana wallet and can request transaction signatures. The artifacts also state the user signs and private keys must not be logged, so this is purpose-aligned rather than suspicious.
`useWallet()` gives you the user's `publicKey` and `signTransaction`.
Use a trusted wallet, never share seed phrases or private keys, and approve only transactions that match the intended payment.
A project using this guide will add third-party dependencies that run in the user's application environment.
The workflow depends on external npm packages. Installing these packages is central to the skill's purpose, but users should still verify package provenance and lock versions.
npm install @pump-fun/agent-payments-sdk@3.0.0 @solana/web3.js@^1.98.0
Install from trusted registries, review package names carefully, use a lockfile, and follow the skill's own advice to avoid blindly installing incompatible latest versions.
The chosen RPC provider may see wallet public addresses, transaction submissions, and request metadata.
The skill recommends external Solana RPC endpoints for building, sending, and verifying transactions. This is disclosed and expected, but the RPC provider can observe submitted transaction and query data.
SOLANA_RPC_URL=https://rpc.solanatracker.io/public
Use an RPC provider you trust, especially for production payment flows.