← Back to Skills Marketplace
Ship My Token
by
Julien Coulaud
· GitHub ↗
· v1.5.3
516
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install ship-my-token
Description
Launch Solana tokens on Pumpfun, create memecoins, mint crypto tokens, manage creator fee sharing, claim trading earnings, and track your portfolio. Deploy t...
Usage Guidance
What to consider before installing:
- This skill will create (unless you provide one) and store an unencrypted Solana private key in ~/.shipmytoken/config.json and may print/export it on request — anyone with that key controls your funds. If you install, either supply a wallet you control via SOLANA_PRIVATE_KEY or be prepared to manage the generated key securely.
- The skill asks you to send ~0.02 SOL (and optionally more for an initial buy) to the wallet it creates. The code enforces a 20% cut to a hardcoded developer wallet; the README and SKILL.md disclose this, but confirm you’re comfortable with that revenue split before funding the wallet.
- On first activation the agent will run npm install, run setup, and may modify your workspace (create/append HEARTBEAT.md or register scheduled jobs). If you want to audit or sandbox first, do not run it on a machine containing real funds or sensitive data. Consider running in an isolated environment and pointing SOLANA_RPC_URL to a devnet/testnet RPC before using mainnet.
- The package pulls standard Solana and Pump SDKs from npm (traceable), but npm installs fetch code from the ecosystem — audit dependencies if you need stronger assurance.
- If you want to use the skill but keep custody: create your own wallet (Keypair), set SOLANA_PRIVATE_KEY and SOLANA_PUBLIC_KEY in environment/config yourself, and do not allow the skill to create or export keys. Also review and consider removing the automatic 20% share behavior if you cannot accept it.
- If you are unsure, do not install or fund the generated wallet. Ask the skill author for an auditable security/privacy statement, or review the repository code line-by-line (particularly config storage, network endpoints, and any code that sends data outside pump.fun/GitHub).
Capability Analysis
Type: OpenClaw Skill
Name: ship-my-token
Version: 1.5.3
The skill is classified as suspicious due to a significant shell injection vulnerability. The `SKILL.md` instructs the AI agent to execute `node` commands (e.g., `node {baseDir}/src/launch.mjs` and `node {baseDir}/src/fees.mjs`) with arguments directly derived from user input (e.g., token name, symbol, image path/URL, vanity address patterns, mint addresses, and fee shares). If the AI agent does not rigorously sanitize these user-provided inputs before constructing and executing the shell command, an attacker could inject arbitrary shell commands, potentially leading to remote code execution on the host system. While the code itself does not exhibit intentional malicious behavior like data exfiltration to unauthorized endpoints or stealthy backdoors, this vulnerability represents a critical security flaw.
Capability Assessment
Purpose & Capability
The name/description (launch tokens, claim fees, portfolio) aligns with the included code and dependencies (Solana SDKs, Pump SDK). However the registry metadata declares no required env vars while the code expects/uses SOLANA_PRIVATE_KEY (via config or env) and an optional SOLANA_RPC_URL; that's an inconsistency in declared requirements. The skill also hardcodes a developer wallet and enforces a 20% (2000 bps) share — this is consistent with the README/SKILL.md but is a design choice users should be aware of.
Instruction Scope
SKILL.md instructs the agent to immediately run onboarding on first activation (create wallet, install deps, set up daily recaps) and to run setup on every interaction. It also instructs creating/ modifying workspace files (HEARTBEAT.md) and installing node modules. The flow creates a wallet for the user and asks them to send ~0.02 SOL to that wallet — i.e., the skill will control a private key it generates. The instructions also tell the agent to bypass generic confirmation ("do NOT fall back to generic token advice") which reduces user prompts and increases risk if the user did not intend immediate on-chain actions.
Install Mechanism
There is no formal install spec in the registry (instruction-only), but SKILL.md instructs running npm install and references package.json dependencies. The dependencies listed are standard Solana/Pump SDKs from npm (traceable). This is a moderate risk (npm install fetches remote packages) but not unusual for a Node-based skill.
Credentials
The skill requires control of a Solana private key to operate. It will create and store the private key in ~/.shipmytoken/config.json (file perms are set to 600), and also accepts keys via the SOLANA_PRIVATE_KEY env var — yet the registry metadata lists no required credentials. Storing an unencrypted private key on disk and printing/exporting it (setup --export) is necessary for on-chain operations but is a sensitive action; users must understand the private key custody implications. The developer-enforced 20% share (hardcoded SHIPMYTOKEN_WALLET) is also a credential-like trust decision: funds or fee flows will benefit a third party by design.
Persistence & Privilege
The skill persists state on disk (~/.shipmytoken/) and in the workspace (creating/appending HEARTBEAT.md), sets up recurring daily recaps via the platform scheduler or cron if available, and will install node modules. It does not request always:true, but the combination of automatic onboarding, persistent wallet storage, and scheduled tasks increases its ongoing footprint and blast radius if misused.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install ship-my-token - After installation, invoke the skill by name or use
/ship-my-token - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.5.3
Version 1.5.3 brings onboarding improvements, automated daily recaps, and a refined launch flow for Solana tokens on Pumpfun.
- Adds automatic onboarding when the skill is first installed, including wallet setup and a clear welcome message with next steps.
- Implements daily portfolio recaps, using the host platform’s scheduling system when possible.
- Guides users through token launch with a structured conversation—collects only necessary details and offers optional fields in a single follow-up.
- Explains creator fee tiers and potential earnings simply, with tables for quick reference.
- Enhances robustness by checking/installing dependencies and prompting for updates if a new skill version is available.
Metadata
Frequently Asked Questions
What is Ship My Token?
Launch Solana tokens on Pumpfun, create memecoins, mint crypto tokens, manage creator fee sharing, claim trading earnings, and track your portfolio. Deploy t... It is an AI Agent Skill for Claude Code / OpenClaw, with 516 downloads so far.
How do I install Ship My Token?
Run "/install ship-my-token" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Ship My Token free?
Yes, Ship My Token is completely free (open-source). You can download, install and use it at no cost.
Which platforms does Ship My Token support?
Ship My Token is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Ship My Token?
It is built and maintained by Julien Coulaud (@jcoulaud); the current version is v1.5.3.
More Skills