Ponzu Launchpad
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill matches its Ethereum launchpad purpose, but it asks for a raw wallet private key and enables irreversible mainnet financial transactions without clear built-in approval or spending limits.
Only use this with a fresh dedicated wallet funded with the minimum ETH needed, preferably on Sepolia first. Do not provide your main wallet private key. Make sure your agent asks you before signing every transaction, and pin or review the npm packages before using the SDK.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent process with access to this private key can authorize transactions from that wallet, potentially spending its ETH or interacting with contracts irreversibly.
The skill uses a raw Ethereum private key as its primary credential for signing transactions, while also acknowledging that read-only use does not need that key.
requires:\n env:\n - PONZU_PRIVATE_KEY ... primaryEnv: PONZU_PRIVATE_KEY ... `PONZU_PRIVATE_KEY` is used locally by viem's `privateKeyToAccount()` to sign transactions ... **Omit `PONZU_PRIVATE_KEY`** for read-only access
Use only a newly created, dedicated wallet with minimal funds; do not provide a main wallet key; omit the key for read-only tasks; and require explicit user approval before any transaction is signed.
A mistaken or overly autonomous agent action could create contracts, spend ETH, or perform other on-chain actions that cannot be reversed.
The documented workflow signs and broadcasts mainnet transactions that spend funds and deploy contracts, but the artifact does not show a mandatory confirmation or spending-limit guardrail.
Deploying a token creates a complete system in one transaction ... **Cost:** 0.005 ETH creation fee + optional dev buy amount. ... const result = await deploy(... wallet, client, 'mainnet')
Before installing or using, configure the agent to ask for confirmation for every transaction, review network and amounts, test on Sepolia first, and keep the wallet balance capped.
Users must trust the npm packages they install; a compromised or changed package version could affect wallet-signing behavior.
The skill relies on user-installed npm packages, including an unpinned SDK, and no bundled code or lockfile is available in the reviewed artifacts.
npm install @ponzu_app/sdk viem
Install from trusted sources, pin package versions, review the SDK before use, and avoid running it with a valuable wallet key.