Back to skill
Skillv1.0.0
ClawScan security
pumpfun-sniper · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 9:05 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it claims (on-chain + web API checks to score pump.fun tokens) and its code is consistent with that purpose, but there are a few non-critical inconsistencies and external endpoints you should verify before running.
- Guidance
- This skill is coherent with its stated purpose, but before installing or running it: 1) Verify external endpoints — especially the Herokuapp URL used to fetch pump.fun metadata and the x402 facilitator URL used for payments — to ensure they are trustworthy. 2) Only provide a HELIUS_API_KEY if you understand its scope (it grants read-only access to Helius RPC for wallet/tx lookups; do NOT supply private keys). 3) If self-hosting, inspect api/server.py (payment flow, PAY_TO env) and run in an isolated environment after pip-installing api/requirements.txt. 4) Prefer running the local script with minimal privileges and check network calls (or run behind a network proxy) if you need to limit exfiltration. If you want higher assurance, ask the publisher for confirmation of the pump.fun API origins (why the Herokuapp endpoint is present) or run the scorer with HELIUS_API_KEY omitted (it will still work using default RPC but with reduced wallet-history signals).
Review Dimensions
- Purpose & Capability
- noteName/description match the code: the scorer inspects pump.fun metadata, DexScreener data, Solana RPC (optionally via Helius) and computes dev/social/liquidity/holder signals. Requested binary (python3) is appropriate. One inconsistency: registry metadata earlier reported “Required env vars: none,” while the SKILL.md and the code reference HELIUS_API_KEY (used for richer wallet/tx lookups). That difference should be reconciled but the HELIUS key is sensible for the described functionality.
- Instruction Scope
- noteSKILL.md instructs running the included Python scorer or using a hosted paid API; runtime actions are limited to network queries (pump.fun APIs, DexScreener, Solana RPC/Helius) and on-chain computations. Be aware the code contacts a Herokuapp URL (client-api-2-74b1891ee9f9.herokuapp.com) in addition to frontend-api.pump.fun and dexscreener — that Heroku endpoint is not obviously an official pump.fun domain and should be verified.
- Install Mechanism
- noteThere is no automated install spec (instruction-only for the platform), but the bundle includes Python scripts and requirements.txt; you must pip-install dependencies to run. No unusual installers or downloads; risk is limited to running code you pull locally. If you plan to self-host, review api/server.py which also exposes a paid API flow (x402 facilitator URL).
- Credentials
- noteThe only runtime secret referenced in code is HELIUS_API_KEY (optional — without it the scorer falls back to public Solana RPC). That key is proportionate to the purpose (to fetch wallet tx history). However, the package/registry metadata did not list required envs while the SKILL.md did, so metadata is inconsistent; confirm whether you must supply HELIUS_API_KEY before using.
- Persistence & Privilege
- okSkill does not request elevated or persistent platform privileges (always:false). It does not modify other skills or system configs. Agent autonomous invocation is allowed by default but is not combined here with broad secret requests.