← 返回 Skills 市场

Blowfish Launch

Name: Blowfish Launch
Author: basedmereum

作者 basedmereum · GitHub ↗ · v1.0.0

cross-platform ⚠ suspicious

641

总下载

当前安装

版本数

在 OpenClaw 中安装

/install blowfish-launch

功能描述

Launch, deploy, and manage Solana tokens via Blowfish Agent API, including status checks and claiming accrued trading fees.

使用说明 (SKILL.md)

Blowfish Token Launch

Launch tokens on Solana programmatically via the Blowfish Agent API.

Base URL: https://api-blowfish.neuko.ai

Prerequisites

A Solana keypair (ed25519). The private key should be available as WALLET_SECRET_KEY env var (JSON array of bytes).
Node.js 18+ or Bun with @solana/web3.js, tweetnacl, bs58

Workflow

Authenticate — wallet-based challenge-response → JWT (15 min expiry)
Launch — POST token params → receive eventId
Poll — GET status by eventId until success or failed
Done — token is live on Solana via Meteora DBC

Quick Launch

Run the bundled script:

WALLET_SECRET_KEY='[...]' bun run scripts/blowfish-launch.ts \
  --name "My Token" \
  --ticker "MYTK" \
  --description "Optional description" \
  --imageUrl "https://example.com/logo.png"

API Endpoints

Authentication

POST /api/auth/challenge — { wallet } → { nonce }
POST /api/auth/verify — { wallet, nonce, signature } → { token }

Sign message: Sign this message to authenticate: \x3Cnonce> with ed25519, base58-encode signature.

Tokens

POST /api/v1/tokens/launch — { name, ticker, description?, imageUrl? } → { eventId } (Bearer auth)
GET /api/v1/tokens/launch/status/:eventId — poll until success/failed/rate_limited
GET /api/v1/tokens/ — list your tokens
GET /api/v1/tokens/:id — get specific token

Fee Claiming

GET /api/v1/claims/ — get eligible claims
POST /api/v1/claims/:tokenId — claim fees for a token

Token Parameters

Field	Rules
`name`	1-255 chars, required
`ticker`	2-10 chars, `^[A-Z0-9]+$`, required
`description`	max 1000 chars, optional
`imageUrl`	max 255 chars, optional

Error Handling

409 — ticker taken, choose another
401 — JWT expired, re-authenticate
Rate limit — 1 launch per agent per UTC day

Full API Reference

See references/api.md for complete endpoint documentation.

安全使用建议

This skill implements its stated purpose (launching Solana tokens) and the script legitimately needs a wallet private key to sign authentication challenges. However: (1) the registry metadata does not declare the WALLET_SECRET_KEY env var or the runtime dependencies — ask the publisher to update metadata to accurately list required env vars and runtime. (2) The source and homepage are unknown; verify the operator (api-blowfish.neuko.ai) and confirm you trust them before exposing any private key. (3) Because a JWT scope includes "trade", a compromised key could enable trading/claims — never use your primary/mainnet wallet. Test with a throwaway wallet that holds minimal funds and rotate keys after testing. (4) Prefer providing keys from an ephemeral environment (not a long-lived system env that other skills or processes can read), and review network traffic or the service's documentation if possible. (5) If you need higher assurance, ask the publisher for a provenance link (Git repo, homepage, maintainers), or request that the registry metadata be corrected to list WALLET_SECRET_KEY and runtime requirements before installing.

功能分析

Type: OpenClaw Skill Name: blowfish-launch Version: 1.0.0 The skill bundle is benign. Its purpose is to launch tokens on Solana via the Blowfish Agent API, which requires a Solana keypair. The `scripts/blowfish-launch.ts` script correctly reads the `WALLET_SECRET_KEY` environment variable, uses it to sign an authentication message, and then interacts with the `https://api-blowfish.neuko.ai` endpoint as described. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts in `SKILL.md` that would subvert the agent's intended behavior. All network calls are to the documented API, and the handling of the sensitive `WALLET_SECRET_KEY` is consistent with the skill's stated purpose.

能力评估

⚠ Purpose & Capability

The skill's name, SKILL.md, and script all describe launching tokens via the Blowfish Agent API and the included script implements that workflow. That capability is coherent with the stated purpose. However, the registry metadata claims no required environment variables or binaries, while both SKILL.md and scripts/blowfish-launch.ts require a WALLET_SECRET_KEY env var and Node/Bun runtime + certain JS libraries. The missing declaration of the wallet secret in the metadata is an inconsistency and should be justified or fixed.

⚠ Instruction Scope

The SKILL.md and the bundled script are narrowly scoped to: read WALLET_SECRET_KEY, perform a wallet-based challenge/verify with api-blowfish.neuko.ai, POST launch parameters, poll status, and optionally call claim endpoints. They do not ask to read unrelated system files. The concern is that the instructions explicitly require the wallet private key (WALLET_SECRET_KEY) and will transmit signatures and JWT-authenticated requests to an external service — behavior that is expected for launching tokens but sensitive and not declared in registry metadata.

✓ Install Mechanism

There is no install spec (instruction-only plus a script), so nothing will be automatically downloaded or written by an installer. This is low-risk from an install mechanism perspective. The script expects Node.js/Bun and some npm packages but does not install them itself.

⚠ Credentials

The script requires WALLET_SECRET_KEY (a full ed25519 private key) to be provided via an environment variable, but the skill metadata lists no required env vars or primary credential. This mismatch is a red flag. The API issues a JWT with scope ["read","trade"] per references/api.md, which implies the authenticated token could permit trading or other account actions — further increasing sensitivity of the private key. No other unrelated secrets are requested, which is appropriate, but the omission from metadata and the sensitivity of the key justify caution.

✓ Persistence & Privilege

The skill does not request permanent presence (always: false) and does not modify other skills or system-wide agent settings. Autonomous invocation is enabled by default (disable-model-invocation: false), which is normal; combine that with the required wallet key only if you trust the skill and operator.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install blowfish-launch
安装完成后，直接呼叫该 Skill 的名称或使用 /blowfish-launch 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release — launch tokens on Solana via Blowfish Agent API (Meteora DBC)

元数据

Slug blowfish-launch

版本 1.0.0

许可证 —

累计安装 0

当前安装数 0

历史版本数 1

常见问题

Blowfish Launch 是什么？

Launch, deploy, and manage Solana tokens via Blowfish Agent API, including status checks and claiming accrued trading fees. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件，目前累计下载 641 次。

如何安装 Blowfish Launch？

在 OpenClaw 或 Claude Code 对话框中运行命令「/install blowfish-launch」即可一键安装，无需额外配置。

Blowfish Launch 是免费的吗？

是的，Blowfish Launch 完全免费（开源免费），可自由下载、安装和使用。

Blowfish Launch 支持哪些平台？

Blowfish Launch 跨平台运行，可在任意部署了 OpenClaw / Claude Code 的环境中使用（cross-platform）。

谁开发了 Blowfish Launch？

由 basedmereum（@basedmereum）开发并维护，当前版本 v1.0.0。