ClawHub

Ponzu Launchpad

v1.0.1

Deploy and interact with Ponzu token launchpad — presales, DEX swaps, and LP farming on Ethereum

0· 219·0 current·0 all-time
by@yuzukyouma
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The skill is a token launchpad and declares PONZU_PRIVATE_KEY, PONZU_NETWORK, and PONZU_RPC_URL — credentials and config that are expected and necessary to sign and broadcast Ethereum transactions.
Instruction Scope
SKILL.md contains code examples that sign transactions with process.env.PONZU_PRIVATE_KEY and broadcast to the configured RPC. This stays within the stated purpose, but the instructions also advise installing @ponzu_app/sdk from npm (external code) which could introduce behavior beyond what the prose states (e.g., telemetry or additional network requests). The manifest does not include an automated install spec — installation is manual/implicit in the instructions.
Install Mechanism
No install spec is included in the registry (lowest automated risk), but the README explicitly tells users to run npm install @ponzu_app/sdk viem. Pulling an npm package is a moderate-risk action because it executes third-party code; verify the package source and contents before running.
Credentials
Only three env vars are required (private key, network, RPC URL). These are proportionate to deploying and interacting with Ethereum contracts. PONZU_PRIVATE_KEY is highly sensitive — the skill documents recommended mitigations (dedicated wallet, testnet).
Persistence & Privilege
always is false; the skill does not request system-wide config paths or cross-skill modifications and contains no install scripts in the registry. It does not ask to remain permanently enabled.
Assessment
This skill appears to do what it says (deploy and interact with a Ponzu launchpad), but you should take precautions before using it: 1) Never expose your main private key — create and fund a dedicated ephemeral wallet for deployments and testing. 2) Test thoroughly on a testnet (Sepolia) first. 3) Inspect the @ponzu_app/sdk package source (and viem usage) on the npm registry / GitHub before running npm install — npm packages can run arbitrary code. 4) Prefer using a trusted RPC endpoint (or your own node) — public RPC providers may see transaction payloads. 5) If you want to avoid exposing a raw private key to the environment, consider signing transactions offline or with a hardware wallet / dedicated signing service. If you want extra assurance, request the package's source repository, audit reports, and the on‑chain contract addresses referenced by the skill before proceeding.

Like a lobster shell, security has layers — review code before you run it.

latestvk9788r8k389t276wyx3s5gde6x82d4qd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🍋 Clawdis
EnvPONZU_PRIVATE_KEY, PONZU_NETWORK, PONZU_RPC_URL
Primary envPONZU_PRIVATE_KEY

Comments