Tokenized agents pump.fun
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: pump-fun-tokenized-agents Version: 1.0.0 The skill bundle provides legitimate instructions and code templates for integrating Solana-based payments using the @pump-fun/agent-payments-sdk. It includes strong safety guidelines, such as prohibiting the handling of private keys by the agent and requiring server-side verification of transactions. The logic and external references (e.g., to GitHub and public Solana RPCs like Solana Tracker) are consistent with the stated purpose of building payment flows for tokenized agents.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user could pay with real SOL or USDC if they approve the wallet transaction.
The skill documents creating and submitting blockchain payment transactions. This is expected for the stated payment-flow purpose, but transactions can move real funds once the user signs.
Client reconstructs instructions, signs, and submits the transaction on Solana via `sendTransaction`.
Review wallet prompts carefully, confirm the amount, currency, recipient/program, and network before signing.
Connecting a wallet lets the app identify the wallet address and ask the user to approve payment transactions.
The integration connects to a user's Solana wallet and can request transaction signatures. The artifacts also state the user signs and private keys must not be logged, so this is purpose-aligned rather than suspicious.
`useWallet()` gives you the user's `publicKey` and `signTransaction`.
Use a trusted wallet, never share seed phrases or private keys, and approve only transactions that match the intended payment.
A project using this guide will add third-party dependencies that run in the user's application environment.
The workflow depends on external npm packages. Installing these packages is central to the skill's purpose, but users should still verify package provenance and lock versions.
npm install @pump-fun/agent-payments-sdk@3.0.0 @solana/web3.js@^1.98.0
Install from trusted registries, review package names carefully, use a lockfile, and follow the skill's own advice to avoid blindly installing incompatible latest versions.
The chosen RPC provider may see wallet public addresses, transaction submissions, and request metadata.
The skill recommends external Solana RPC endpoints for building, sending, and verifying transactions. This is disclosed and expected, but the RPC provider can observe submitted transaction and query data.
SOLANA_RPC_URL=https://rpc.solanatracker.io/public
Use an RPC provider you trust, especially for production payment flows.