← Back to Skills Marketplace

Blowfish Launch

Name: Blowfish Launch
Author: basedmereum

by basedmereum · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

641

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install blowfish-launch

Description

Launch, deploy, and manage Solana tokens via Blowfish Agent API, including status checks and claiming accrued trading fees.

README (SKILL.md)

Blowfish Token Launch

Launch tokens on Solana programmatically via the Blowfish Agent API.

Base URL: https://api-blowfish.neuko.ai

Prerequisites

A Solana keypair (ed25519). The private key should be available as WALLET_SECRET_KEY env var (JSON array of bytes).
Node.js 18+ or Bun with @solana/web3.js, tweetnacl, bs58

Workflow

Authenticate — wallet-based challenge-response → JWT (15 min expiry)
Launch — POST token params → receive eventId
Poll — GET status by eventId until success or failed
Done — token is live on Solana via Meteora DBC

Quick Launch

Run the bundled script:

WALLET_SECRET_KEY='[...]' bun run scripts/blowfish-launch.ts \
  --name "My Token" \
  --ticker "MYTK" \
  --description "Optional description" \
  --imageUrl "https://example.com/logo.png"

API Endpoints

Authentication

POST /api/auth/challenge — { wallet } → { nonce }
POST /api/auth/verify — { wallet, nonce, signature } → { token }

Sign message: Sign this message to authenticate: \x3Cnonce> with ed25519, base58-encode signature.

Tokens

POST /api/v1/tokens/launch — { name, ticker, description?, imageUrl? } → { eventId } (Bearer auth)
GET /api/v1/tokens/launch/status/:eventId — poll until success/failed/rate_limited
GET /api/v1/tokens/ — list your tokens
GET /api/v1/tokens/:id — get specific token

Fee Claiming

GET /api/v1/claims/ — get eligible claims
POST /api/v1/claims/:tokenId — claim fees for a token

Token Parameters

Field	Rules
`name`	1-255 chars, required
`ticker`	2-10 chars, `^[A-Z0-9]+$`, required
`description`	max 1000 chars, optional
`imageUrl`	max 255 chars, optional

Error Handling

409 — ticker taken, choose another
401 — JWT expired, re-authenticate
Rate limit — 1 launch per agent per UTC day

Full API Reference

See references/api.md for complete endpoint documentation.

Usage Guidance

This skill implements its stated purpose (launching Solana tokens) and the script legitimately needs a wallet private key to sign authentication challenges. However: (1) the registry metadata does not declare the WALLET_SECRET_KEY env var or the runtime dependencies — ask the publisher to update metadata to accurately list required env vars and runtime. (2) The source and homepage are unknown; verify the operator (api-blowfish.neuko.ai) and confirm you trust them before exposing any private key. (3) Because a JWT scope includes "trade", a compromised key could enable trading/claims — never use your primary/mainnet wallet. Test with a throwaway wallet that holds minimal funds and rotate keys after testing. (4) Prefer providing keys from an ephemeral environment (not a long-lived system env that other skills or processes can read), and review network traffic or the service's documentation if possible. (5) If you need higher assurance, ask the publisher for a provenance link (Git repo, homepage, maintainers), or request that the registry metadata be corrected to list WALLET_SECRET_KEY and runtime requirements before installing.

Capability Analysis

Type: OpenClaw Skill Name: blowfish-launch Version: 1.0.0 The skill bundle is benign. Its purpose is to launch tokens on Solana via the Blowfish Agent API, which requires a Solana keypair. The `scripts/blowfish-launch.ts` script correctly reads the `WALLET_SECRET_KEY` environment variable, uses it to sign an authentication message, and then interacts with the `https://api-blowfish.neuko.ai` endpoint as described. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` that would subvert the agent's intended behavior. All network calls are to the documented API, and the handling of the sensitive `WALLET_SECRET_KEY` is consistent with the skill's stated purpose.

Capability Assessment

⚠ Purpose & Capability

The skill's name, SKILL.md, and script all describe launching tokens via the Blowfish Agent API and the included script implements that workflow. That capability is coherent with the stated purpose. However, the registry metadata claims no required environment variables or binaries, while both SKILL.md and scripts/blowfish-launch.ts require a WALLET_SECRET_KEY env var and Node/Bun runtime + certain JS libraries. The missing declaration of the wallet secret in the metadata is an inconsistency and should be justified or fixed.

⚠ Instruction Scope

The SKILL.md and the bundled script are narrowly scoped to: read WALLET_SECRET_KEY, perform a wallet-based challenge/verify with api-blowfish.neuko.ai, POST launch parameters, poll status, and optionally call claim endpoints. They do not ask to read unrelated system files. The concern is that the instructions explicitly require the wallet private key (WALLET_SECRET_KEY) and will transmit signatures and JWT-authenticated requests to an external service — behavior that is expected for launching tokens but sensitive and not declared in registry metadata.

✓ Install Mechanism

There is no install spec (instruction-only plus a script), so nothing will be automatically downloaded or written by an installer. This is low-risk from an install mechanism perspective. The script expects Node.js/Bun and some npm packages but does not install them itself.

⚠ Credentials

The script requires WALLET_SECRET_KEY (a full ed25519 private key) to be provided via an environment variable, but the skill metadata lists no required env vars or primary credential. This mismatch is a red flag. The API issues a JWT with scope ["read","trade"] per references/api.md, which implies the authenticated token could permit trading or other account actions — further increasing sensitivity of the private key. No other unrelated secrets are requested, which is appropriate, but the omission from metadata and the sensitivity of the key justify caution.

✓ Persistence & Privilege

The skill does not request permanent presence (always: false) and does not modify other skills or system-wide agent settings. Autonomous invocation is enabled by default (disable-model-invocation: false), which is normal; combine that with the required wallet key only if you trust the skill and operator.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install blowfish-launch
After installation, invoke the skill by name or use /blowfish-launch
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

Initial release — launch tokens on Solana via Blowfish Agent API (Meteora DBC)

Metadata

Slug blowfish-launch

Version 1.0.0

License —

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is Blowfish Launch?

Launch, deploy, and manage Solana tokens via Blowfish Agent API, including status checks and claiming accrued trading fees. It is an AI Agent Skill for Claude Code / OpenClaw, with 641 downloads so far.

How do I install Blowfish Launch?

Run "/install blowfish-launch" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is Blowfish Launch free?

Yes, Blowfish Launch is completely free (open-source). You can download, install and use it at no cost.

Which platforms does Blowfish Launch support?

Blowfish Launch is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created Blowfish Launch?

It is built and maintained by basedmereum (@basedmereum); the current version is v1.0.0.

More Skills