ClawPump
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawpump Version: 1.0.0 The skill bundle instructs the AI agent to interact with an external API (clawpump.tech) for Solana-related operations, including token launches, swaps, and arbitrage. A significant risk lies in the agent's requirement to sign base64-encoded Solana transactions provided by this external API (SKILL.md, sections 'Swap' and 'Arbitrage Intelligence'). If the clawpump.tech API were compromised or malicious, it could supply transactions designed to drain the agent's wallet or perform other unauthorized actions. While this represents a critical trust vulnerability and a potential for remote code execution (via malicious transaction data), the skill bundle itself does not contain explicit instructions for malicious self-exploitation, data exfiltration, or persistence, aligning it with 'suspicious' rather than 'malicious' intent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A user or agent could launch a public token or proceed toward signing a swap transaction without fully reviewing irreversible blockchain consequences.
These endpoints can create public on-chain assets and prepare wallet-signed trades through a remote API. The visible instructions do not require a final confirmation step or transaction-content review before use.
POST `/api/launch` — Launch a token (gasless) ... `POST /api/swap` — Build swap transaction ... Returns a serialized transaction ready to sign and submit.
Require explicit user approval immediately before any launch, transfer, or swap; inspect serialized transactions in a trusted wallet or explorer; and limit amounts, slippage, and token details to user-confirmed values.
Users may underestimate costs, platform fees, or financial risk if they rely on the headline claims alone.
The skill uses strong promotional financial framing while also documenting a paid self-funded fallback. This is disclosed, but users should not treat the service as always free or guaranteed profitable.
Earn 65% of every trading fee. ... Zero cost. ... Self-funded launch ... Send 0.03 SOL to platform wallet `3ZGgmBgEMTSgcVGLXZWpus5Vx41HNuhq6H6Yg6p3z6uv`
Verify current fees, payment requirements, fee-share terms, and platform legitimacy before sending SOL or launching a token.
Users have limited provenance information for the service that will create tokens, upload images, and build transactions.
The registry metadata provides no source repository or homepage for a skill that relies on a third-party financial API.
Source: unknown; Homepage: none
Independently verify clawpump.tech and its operators before trusting it with wallet-linked activity or funds.
Wallet addresses and token-launch activity may be associated with the user or agent on-chain and by the service provider.
The API collects Solana wallet identity information. This is expected for token earnings and swap construction, but it links user or agent activity to a public wallet.
`walletAddress` | string | Yes | Solana wallet to receive fee earnings ... `userPublicKey` | string | Yes | Your Solana wallet address (signer)
Use a wallet address you are comfortable linking to this activity, and avoid sharing private keys or seed phrases.