← Back to Skills Marketplace
moonnfunofficial

moonfun_sdk

by moonnfunOfficial · GitHub ↗ · v1.0.6
cross-platform ⚠ suspicious
608
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install moonfunsdk
Description
Python SDK for BSC enabling creation of AI-generated Meme tokens with stable minting and experimental token trading (buy/sell) features.
Usage Guidance
This package implements its stated features, but review and caution are required before using with real funds or your primary wallet. Actionable steps: - Do not use your main wallet; create a dedicated disposable wallet with a small BNB balance for testing. - Expect to set PRIVATE_KEY (environment variable or parameter) — the registry metadata omitted this; confirm required envs before installing. - Replace the default image API URL (http://moonfun.site) with an HTTPS endpoint or self-host the image API to avoid sending signatures and addresses over plaintext HTTP. If you must use the default, inspect network traffic (mitmproxy) and be aware signatures could be observed/replayed within their time window. - Note auth.py exposes a .private_key property. If you or other code call that, the raw key becomes accessible in-process — avoid calling it and consider modifying the SDK to remove that accessor before use. - Audit the code paths that transmit data (image_api.py, platform.py) to confirm only signatures and addresses are sent and that timestamps/replay-windows match your threat model. - Prefer installing from reviewed source (pip install -e .) after inspecting the files, and run dependency scanners (safety, bandit). Start with minimal BNB and small test transactions. If you want, I can point out the exact lines that implement the .private_key accessor and the default HTTP endpoint and suggest minimal code changes (e.g., remove the accessor, require HTTPS) to reduce risk.
Capability Analysis
Type: OpenClaw Skill Name: moonfunsdk Version: 1.0.6 The skill bundle is classified as suspicious due to a significant vulnerability: the image generation API (`http://moonfun.site`) uses unencrypted HTTP for transmitting sensitive data, including the user's wallet address, cryptographic signature, and AI prompt. While the private key itself is explicitly stated and appears to be handled locally for signing, the use of HTTP exposes these critical pieces of information to potential Man-in-the-Middle (MITM) attacks, allowing interception of user identity and authentication tokens. This vulnerability is present in `python/moonfun_sdk/image_api.py` and the default configuration in `python/moonfun_sdk/client.py` and `python/moonfun_sdk/constants.py`. The extensive documentation and explicit security claims, including instructions for auditing private key handling, suggest an intent for transparency rather than malice, but the unencrypted communication of sensitive data constitutes a critical flaw.
Capability Assessment
Purpose & Capability
Source files (auth, blockchain, image_api, platform, trading) align with the stated purpose of creating/trading BSC meme tokens with AI images. However the runtime metadata/registry says no required env vars or credentials while SKILL.md and code clearly require a PRIVATE_KEY (and optionally MOONFUN_IMAGE_API_URL). That mismatch is an integrity issue the reviewer should resolve.
Instruction Scope
SKILL.md instructs the agent/user to provide a PRIVATE_KEY and to send cryptographic signatures/address/timestamps to hosted services. The default image API endpoint is http://moonfun.site (plain HTTP) in multiple documents — sending signatures and addresses over unencrypted HTTP risks interception/replay during the allowed time window. The SDK claims private keys are never transmitted, and code signs messages locally, but signatures themselves (and timestamps/prompts) are transmitted and could be abused if intercepted within the replay window.
Install Mechanism
There is no high-risk install mechanism in the package metadata (no arbitrary remote downloads). The repository includes setup.py and standard requirements; dependencies are mainstream (web3, eth-account, requests/httpx). Minor inconsistency: the skill metadata indicated ‘instruction-only’ yet a full Python package is included — not a security risk but an administrative mismatch.
Credentials
Requesting a PRIVATE_KEY is proportionate to signing transactions, but the registry metadata omitted it. Additionally auth.py exposes a .private_key property that returns the raw key string — this API increases the chance the key could be accidentally read and transmitted by calling code. The default image API is HTTP (unencrypted), increasing risk even though private keys themselves are not sent.
Persistence & Privilege
The skill does not request always:true or any elevated system persistence. It does not declare writing to other skills' config or system-wide settings. No unusual privilege escalation was found in the included files.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install moonfunsdk
  3. After installation, invoke the skill by name or use /moonfunsdk
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.6
v1.0.6 is a minor update focusing on token categorization. - Token tag set to "Ai Agent" - Improved categorization
v1.0.1
Moonfunsdk 1.0.1 - Initial open-source release of the MoonfunSDK for Python. - Provides full SDK for creating meme tokens with AI-generated images on Binance Smart Chain. - Includes experimental buy/sell token methods. - Added core modules: authentication, blockchain, platform integration, image API, trading, and error handling. - Added documentation, security guidelines, configuration instructions, and example usage. - All new files and directories introduced for Python SDK structure.
v1.0.0
Professional SDK for creating and trading Meme tokens on BSC with AI-powered image generation.
Metadata
Slug moonfunsdk
Version 1.0.6
License
All-time Installs 0
Active Installs 0
Total Versions 3
Frequently Asked Questions

What is moonfun_sdk?

Python SDK for BSC enabling creation of AI-generated Meme tokens with stable minting and experimental token trading (buy/sell) features. It is an AI Agent Skill for Claude Code / OpenClaw, with 608 downloads so far.

How do I install moonfun_sdk?

Run "/install moonfunsdk" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is moonfun_sdk free?

Yes, moonfun_sdk is completely free (open-source). You can download, install and use it at no cost.

Which platforms does moonfun_sdk support?

moonfun_sdk is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created moonfun_sdk?

It is built and maintained by moonnfunOfficial (@moonnfunofficial); the current version is v1.0.6.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments