← 返回 Skills 市场
258
总下载
1
收藏
0
当前安装
2
版本数
在 OpenClaw 中安装
/install pumpclaw-agent
功能描述
Generate customer-ready Telegram polling bots + an Express-style web server that integrate Pump.fun Tokenized Agent payments using @pump-fun/agent-payments-s...
安全使用建议
What to consider before installing or using this skill:
- Inconsistency: The registry lists no required env vars, but the template requires multiple secrets (treasury secret key, API/BILLING tokens, Telegram bot token, RPC URL). Expect to provide and securely store those before running.
- Env-var mismatch: Files use different env names (server.cjs expects SOLANA_RPC_URL while server.js expects RPC_URL). Confirm and unify the .env.example and runtime env names when stamping the template.
- Sensitive key handling: The template generates per-user deposit wallets and stores their private keys (base58) in a local SQLite DB. This is a potential secret-exfiltration / theft risk if deployed as-is. For production, avoid storing raw private keys, use custodial best-practices, hardware modules, or derive one-time addresses that do not require storing long-term secrets.
- TREASURY_SECRET_KEY_BASE58: This secret is required for treasury operations; do not commit it to source control and store it securely (secrets manager or HSM). The SKILL.md's 'do not commit .env' is necessary but not sufficient guidance.
- Audit dependencies and code: The package-lock.json includes many third-party packages. Review @pump-fun/agent-payments-sdk and other dependencies for trustworthiness and expected behavior before using funds.
- Run in isolation: Test the stamped project in an isolated environment with testnet RPC and throwaway keys first. Verify the invoice validation flow and that no unintended network calls or logging of secret material occur.
- Operational hardening: Add access controls around the API_TOKEN/BILLING_TOKEN, enable TLS, secure the SQLite DB file, rotate keys, and add audit logging. Consider not using the demo pattern of per-user secret storage for production.
Given the above mismatches and sensitive behaviors, do not deploy this template to production without resolving env-name inconsistencies, implementing safer key custody, and performing a security review.
功能分析
Type: OpenClaw Skill
Name: pumpclaw-agent
Version: 1.0.1
The skill bundle provides a Telegram bot scaffold that implements a custodial wallet system, generating and storing user Solana private keys in a local SQLite database (deposit_secret_b58) to automate payments. This implementation directly contradicts the safety instructions in SKILL.md, which explicitly state 'Never sign transactions on behalf of the user.' Additionally, the server configuration (server.cjs and server.js) requires a sensitive TREASURY_SECRET_KEY_BASE58 environment variable that is initialized but never actually utilized in the provided code logic. While these patterns are common in high-risk custodial bot designs, the discrepancy between documentation and implementation, combined with the unnecessary collection of sensitive keys, makes the bundle suspicious.
能力评估
Purpose & Capability
Name/description (Telegram + web server + Pump.fun payments) align with the included templates and code: the project includes server and Telegram bot implementations and uses @pump-fun/agent-payments-sdk and @solana/web3.js. However the registry metadata declares no required env vars/credentials while the template and runtime files clearly require multiple secrets (TREASURY_SECRET_KEY_BASE58, API_TOKEN, TELEGRAM_BOT_TOKEN, BILLING_TOKEN, etc.). That omission is an incoherence that could mislead installers.
Instruction Scope
SKILL.md instructs stamping and configuring the template and lists some env vars, and the code implements the payment and bot flows. Problems: env-var names are inconsistent across files (SKILL.md references SOLANA_RPC_URL; server.js expects RPC_URL; server.cjs expects SOLANA_RPC_URL), which can cause misconfiguration. The template code generates per-user deposit keypairs and stores deposit_secret_b58 in SQLite — a sensitive action that SKILL.md does not explicitly warn about or prescribe secure handling for (only a generic 'do not commit .env' rule). The safety rules claim 'Never sign transactions on behalf of the user' yet the server signs transactions using server-generated deposit keypairs (server-side signing is intended here but the phrasing is ambiguous).
Install Mechanism
No install spec is declared (instruction-only skill) and the repository only includes a stamp script plus an npm project template. Dependencies are standard npm packages (Pump SDK, solana/web3, fastify, grammy, etc.) captured in package.json and package-lock.json. No external download URLs or archive extraction from unknown hosts are used in the skill itself.
Credentials
The template requires several sensitive environment values (TREASURY_SECRET_KEY_BASE58, API_TOKEN/BILLING_TOKEN, TELEGRAM_BOT_TOKEN, DB_PATH, RPC URL) which are proportionate to a billing server but were omitted from the registry metadata. In addition, the service stores per-user deposit private keys (deposit_secret_b58) in the SQLite DB — reasonable for the provided demo flow but high-risk for production. The mismatch and storage of private keys should be explicitly documented and reworked for secure deployments.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global agent settings. It produces a project scaffold and scripts; there is no elevated platform persistence requested by the skill bundle itself.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install pumpclaw-agent - 安装完成后,直接呼叫该 Skill 的名称或使用
/pumpclaw-agent触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v1.0.1
Add Pump Tokenized Agent integration highlighting + sdk deps + env cleanup
v1.0.0
Initial release of the Telegram Web Bot Generator skill.
- Generate ready-to-use Node.js projects with a polling-based Telegram bot and Express web server, based on a reusable template.
- Supports custom Telegram commands/handlers, web APIs, environment variable setup, and customer-ready delivery.
- Follows clear safety and quality guidelines (no secret leakage, only provide .env.example, includes rate limiting).
- Outputs step-by-step run instructions and a smoke-test checklist.
- Defaults to CommonJS and polling; prompts for needed info before creating the project.
- Intended for fast, reliable customer bot+server codebase scaffolding.
元数据
常见问题
Pumpfun Agent Integration 是什么?
Generate customer-ready Telegram polling bots + an Express-style web server that integrate Pump.fun Tokenized Agent payments using @pump-fun/agent-payments-s... 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 258 次。
如何安装 Pumpfun Agent Integration?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install pumpclaw-agent」即可一键安装,无需额外配置。
Pumpfun Agent Integration 是免费的吗?
是的,Pumpfun Agent Integration 完全免费,采用 MIT-0 许可证,可自由下载、安装和使用。
Pumpfun Agent Integration 支持哪些平台?
Pumpfun Agent Integration 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Pumpfun Agent Integration?
由 Belimad(@belimad)开发并维护,当前版本 v1.0.1。
推荐 Skills