← Back to Skills Marketplace
lvcidpsyche

Solpaw-Launcher

by LvcidPsyche · GitHub ↗ · v3.0.2
cross-platform ⚠ suspicious
931
Downloads
0
Stars
2
Active Installs
2
Versions
Install in OpenClaw
/install solpaw-launcher
Description
Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator.
Usage Guidance
Do not install or give secrets until the implementation mismatch is resolved. The two red flags: (1) the docs promise local (client) transaction signing but the included SDK code calls the server-side /tokens/launch endpoint (which may make the platform the onchain creator), and (2) the skill declares SOLANA_PRIVATE_KEY required even though the code doesn't use it. Before using: 1) Ask the author which endpoint the SDK will call in production and whether the skill actually performs local signing or server signing. 2) If you plan to proceed, NEVER use your main wallet private key — create an ephemeral wallet with only ~0.15 SOL. 3) Prefer code that uses /tokens/launch-local + /tokens/submit (or review and modify the SDK to implement local signing). 4) Verify the API base URL (https://api.solpaw.fun) and the platform wallet on an independent source (official docs, repo). 5) Test on devnet or with a small amount before committing larger funds. If the author confirms the SDK will be changed to local signing or removes the private-key env requirement, re-evaluate — that would reduce concern.
Capability Analysis
Type: OpenClaw Skill Name: solpaw-launcher Version: 3.0.2 The skill is classified as suspicious due to a significant functional discrepancy between the advertised security model and the implemented SDK behavior. While `SKILL.md` and `README.md` strongly emphasize 'Local Mode' where the agent's wallet is the on-chain creator and `SOLANA_PRIVATE_KEY` is used for local signing only, the `solpaw-skill.ts` SDK's `launchToken` method uses the `/tokens/launch` API endpoint, which is described in `references/api-docs.md` as a 'Fallback' where the server signs the transaction and the platform wallet becomes the on-chain creator. This misrepresentation of token ownership and transaction signing mechanism, despite the `SOLANA_PRIVATE_KEY` not being exfiltrated, creates a trust vulnerability.
Capability Assessment
Purpose & Capability
Name/description (launch Solana tokens) match the API and files (SDK, README, API docs). However the code calls the server-side /tokens/launch endpoint (server-signing / 'Lightning' mode) while the SKILL.md and README repeatedly recommend Local Mode (/tokens/launch-local) and claim the agent's wallet will be the onchain creator. The skill also declares SOLANA_PRIVATE_KEY as required, but the TypeScript code does not use it. This mismatch between what is claimed and what is implemented is incoherent.
Instruction Scope
SKILL.md provides explicit curl commands for registering, fetching a CSRF token, uploading images, building an unsigned transaction (launch-local) and submitting a signed transaction. Those instructions are scoped to the launch task and do not ask for unrelated system files. However the README and SKILL.md strongly advise local signing while the shipped SDK code uses the server-signing endpoint — that divergence changes what data is actually needed/transmitted and how authority over the resulting onchain mint is assigned. The skill also instructs the user to send irreversible funds (0.1 SOL) to a platform wallet; that is expected for this purpose but is a high-impact action that users must explicitly authorize.
Install Mechanism
Instruction-only / TypeScript source included; no download-from-URL installs or remote execution steps. package.json and TS file are present but there is no high-risk install mechanism. Required binary 'curl' is reasonable for the curl examples.
Credentials
The declared required env vars (SOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY, SOLPAW_API_URL) mostly make sense: API key and creator wallet for the service. But SOLANA_PRIVATE_KEY is flagged as required even though the provided TypeScript code never uses it (the code does not perform local signing). Asking for a private key is high-sensitivity and should only be requested if local signing is actually implemented. That mismatch is disproportionate and risky if users supply their main wallet key.
Persistence & Privilege
The skill is not always-enabled, it is user-invocable only, and model invocation is disabled (so it cannot autonomously run). It does not request system-wide config paths or try to modify other skills. No persistence/privilege escalation indicators.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install solpaw-launcher
  3. After installation, invoke the skill by name or use /solpaw-launcher
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v3.0.2
- Added strong security guidance and warnings regarding private key usage; recommend dedicated ephemeral wallets for launches. - Enforced explicit user-invocation only—skill may not be called autonomously by agents. - Updated prerequisites: `SOLPAW_API_URL` must be set in environment variables. - Disabled model invocation: now requires explicit user action. - Expanded and clarified security section on transaction signing, API keys, environment variables, and daily launch limits. - Revised constraints to emphasize no logging or transmitting of private keys and stricter user-approval requirements.
v3.0.1
solpaw-launcher 3.0.1 - Added comprehensive user guide for launching Solana tokens via SolPaw, including prerequisites, fee details, and full command-line/SDK steps. - Clarified environment variable requirements: SOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, and SOLANA_PRIVATE_KEY. - Documented new workflow: register agent, obtain CSRF token, pay launch fee, upload image, and launch token with agent wallet as onchain creator. - Outlined constraints and best practices for safe token launches (approval, limits, image use). - Included code examples for both cURL and TypeScript SDK usage, enhancing developer onboarding.
Metadata
Slug solpaw-launcher
Version 3.0.2
License
All-time Installs 2
Active Installs 2
Total Versions 2
Frequently Asked Questions

What is Solpaw-Launcher?

Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator. It is an AI Agent Skill for Claude Code / OpenClaw, with 931 downloads so far.

How do I install Solpaw-Launcher?

Run "/install solpaw-launcher" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Solpaw-Launcher free?

Yes, Solpaw-Launcher is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Solpaw-Launcher support?

Solpaw-Launcher is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Solpaw-Launcher?

It is built and maintained by LvcidPsyche (@lvcidpsyche); the current version is v3.0.2.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463556 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259610 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200551 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191226 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190235 · by oswalpalash

💬 Comments