← Back to Skills Marketplace

Pumpfun Agent Integration

Name: Pumpfun Agent Integration
Author: belimad

by Belimad · GitHub ↗ · v1.0.1 · MIT-0

cross-platform ⚠ suspicious

258

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install pumpclaw-agent

Description

Generate customer-ready Telegram polling bots + an Express-style web server that integrate Pump.fun Tokenized Agent payments using @pump-fun/agent-payments-s...

Usage Guidance

What to consider before installing or using this skill: - Inconsistency: The registry lists no required env vars, but the template requires multiple secrets (treasury secret key, API/BILLING tokens, Telegram bot token, RPC URL). Expect to provide and securely store those before running. - Env-var mismatch: Files use different env names (server.cjs expects SOLANA_RPC_URL while server.js expects RPC_URL). Confirm and unify the .env.example and runtime env names when stamping the template. - Sensitive key handling: The template generates per-user deposit wallets and stores their private keys (base58) in a local SQLite DB. This is a potential secret-exfiltration / theft risk if deployed as-is. For production, avoid storing raw private keys, use custodial best-practices, hardware modules, or derive one-time addresses that do not require storing long-term secrets. - TREASURY_SECRET_KEY_BASE58: This secret is required for treasury operations; do not commit it to source control and store it securely (secrets manager or HSM). The SKILL.md's 'do not commit .env' is necessary but not sufficient guidance. - Audit dependencies and code: The package-lock.json includes many third-party packages. Review @pump-fun/agent-payments-sdk and other dependencies for trustworthiness and expected behavior before using funds. - Run in isolation: Test the stamped project in an isolated environment with testnet RPC and throwaway keys first. Verify the invoice validation flow and that no unintended network calls or logging of secret material occur. - Operational hardening: Add access controls around the API_TOKEN/BILLING_TOKEN, enable TLS, secure the SQLite DB file, rotate keys, and add audit logging. Consider not using the demo pattern of per-user secret storage for production. Given the above mismatches and sensitive behaviors, do not deploy this template to production without resolving env-name inconsistencies, implementing safer key custody, and performing a security review.

Capability Analysis

Type: OpenClaw Skill Name: pumpclaw-agent Version: 1.0.1 The skill bundle provides a Telegram bot scaffold that implements a custodial wallet system, generating and storing user Solana private keys in a local SQLite database (deposit_secret_b58) to automate payments. This implementation directly contradicts the safety instructions in SKILL.md, which explicitly state 'Never sign transactions on behalf of the user.' Additionally, the server configuration (server.cjs and server.js) requires a sensitive TREASURY_SECRET_KEY_BASE58 environment variable that is initialized but never actually utilized in the provided code logic. While these patterns are common in high-risk custodial bot designs, the discrepancy between documentation and implementation, combined with the unnecessary collection of sensitive keys, makes the bundle suspicious.

Capability Assessment

ℹ Purpose & Capability

Name/description (Telegram + web server + Pump.fun payments) align with the included templates and code: the project includes server and Telegram bot implementations and uses @pump-fun/agent-payments-sdk and @solana/web3.js. However the registry metadata declares no required env vars/credentials while the template and runtime files clearly require multiple secrets (TREASURY_SECRET_KEY_BASE58, API_TOKEN, TELEGRAM_BOT_TOKEN, BILLING_TOKEN, etc.). That omission is an incoherence that could mislead installers.

⚠ Instruction Scope

SKILL.md instructs stamping and configuring the template and lists some env vars, and the code implements the payment and bot flows. Problems: env-var names are inconsistent across files (SKILL.md references SOLANA_RPC_URL; server.js expects RPC_URL; server.cjs expects SOLANA_RPC_URL), which can cause misconfiguration. The template code generates per-user deposit keypairs and stores deposit_secret_b58 in SQLite — a sensitive action that SKILL.md does not explicitly warn about or prescribe secure handling for (only a generic 'do not commit .env' rule). The safety rules claim 'Never sign transactions on behalf of the user' yet the server signs transactions using server-generated deposit keypairs (server-side signing is intended here but the phrasing is ambiguous).

✓ Install Mechanism

No install spec is declared (instruction-only skill) and the repository only includes a stamp script plus an npm project template. Dependencies are standard npm packages (Pump SDK, solana/web3, fastify, grammy, etc.) captured in package.json and package-lock.json. No external download URLs or archive extraction from unknown hosts are used in the skill itself.

⚠ Credentials

The template requires several sensitive environment values (TREASURY_SECRET_KEY_BASE58, API_TOKEN/BILLING_TOKEN, TELEGRAM_BOT_TOKEN, DB_PATH, RPC URL) which are proportionate to a billing server but were omitted from the registry metadata. In addition, the service stores per-user deposit private keys (deposit_secret_b58) in the SQLite DB — reasonable for the provided demo flow but high-risk for production. The mismatch and storage of private keys should be explicitly documented and reworked for secure deployments.

✓ Persistence & Privilege

The skill does not request always:true and does not modify other skills or global agent settings. It produces a project scaffold and scripts; there is no elevated platform persistence requested by the skill bundle itself.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install pumpclaw-agent
After installation, invoke the skill by name or use /pumpclaw-agent
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.1

Add Pump Tokenized Agent integration highlighting + sdk deps + env cleanup

v1.0.0

Initial release of the Telegram Web Bot Generator skill. - Generate ready-to-use Node.js projects with a polling-based Telegram bot and Express web server, based on a reusable template. - Supports custom Telegram commands/handlers, web APIs, environment variable setup, and customer-ready delivery. - Follows clear safety and quality guidelines (no secret leakage, only provide .env.example, includes rate limiting). - Outputs step-by-step run instructions and a smoke-test checklist. - Defaults to CommonJS and polling; prompts for needed info before creating the project. - Intended for fast, reliable customer bot+server codebase scaffolding.

Metadata

Slug pumpclaw-agent

Version 1.0.1

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 2

Frequently Asked Questions

What is Pumpfun Agent Integration?

Generate customer-ready Telegram polling bots + an Express-style web server that integrate Pump.fun Tokenized Agent payments using @pump-fun/agent-payments-s... It is an AI Agent Skill for Claude Code / OpenClaw, with 258 downloads so far.

How do I install Pumpfun Agent Integration?

Run "/install pumpclaw-agent" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Pumpfun Agent Integration free?

Yes, Pumpfun Agent Integration is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does Pumpfun Agent Integration support?

Pumpfun Agent Integration is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Pumpfun Agent Integration?

It is built and maintained by Belimad (@belimad); the current version is v1.0.1.

More Skills