← 返回 Skills 市场
lvcidpsyche

Solpaw-Launcher

作者 LvcidPsyche · GitHub ↗ · v3.0.2
cross-platform ⚠ suspicious
931
总下载
0
收藏
2
当前安装
2
版本数
在 OpenClaw 中安装
/install solpaw-launcher
功能描述
Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator.
安全使用建议
Do not install or give secrets until the implementation mismatch is resolved. The two red flags: (1) the docs promise local (client) transaction signing but the included SDK code calls the server-side /tokens/launch endpoint (which may make the platform the onchain creator), and (2) the skill declares SOLANA_PRIVATE_KEY required even though the code doesn't use it. Before using: 1) Ask the author which endpoint the SDK will call in production and whether the skill actually performs local signing or server signing. 2) If you plan to proceed, NEVER use your main wallet private key — create an ephemeral wallet with only ~0.15 SOL. 3) Prefer code that uses /tokens/launch-local + /tokens/submit (or review and modify the SDK to implement local signing). 4) Verify the API base URL (https://api.solpaw.fun) and the platform wallet on an independent source (official docs, repo). 5) Test on devnet or with a small amount before committing larger funds. If the author confirms the SDK will be changed to local signing or removes the private-key env requirement, re-evaluate — that would reduce concern.
功能分析
Type: OpenClaw Skill Name: solpaw-launcher Version: 3.0.2 The skill is classified as suspicious due to a significant functional discrepancy between the advertised security model and the implemented SDK behavior. While `SKILL.md` and `README.md` strongly emphasize 'Local Mode' where the agent's wallet is the on-chain creator and `SOLANA_PRIVATE_KEY` is used for local signing only, the `solpaw-skill.ts` SDK's `launchToken` method uses the `/tokens/launch` API endpoint, which is described in `references/api-docs.md` as a 'Fallback' where the server signs the transaction and the platform wallet becomes the on-chain creator. This misrepresentation of token ownership and transaction signing mechanism, despite the `SOLANA_PRIVATE_KEY` not being exfiltrated, creates a trust vulnerability.
能力评估
Purpose & Capability
Name/description (launch Solana tokens) match the API and files (SDK, README, API docs). However the code calls the server-side /tokens/launch endpoint (server-signing / 'Lightning' mode) while the SKILL.md and README repeatedly recommend Local Mode (/tokens/launch-local) and claim the agent's wallet will be the onchain creator. The skill also declares SOLANA_PRIVATE_KEY as required, but the TypeScript code does not use it. This mismatch between what is claimed and what is implemented is incoherent.
Instruction Scope
SKILL.md provides explicit curl commands for registering, fetching a CSRF token, uploading images, building an unsigned transaction (launch-local) and submitting a signed transaction. Those instructions are scoped to the launch task and do not ask for unrelated system files. However the README and SKILL.md strongly advise local signing while the shipped SDK code uses the server-signing endpoint — that divergence changes what data is actually needed/transmitted and how authority over the resulting onchain mint is assigned. The skill also instructs the user to send irreversible funds (0.1 SOL) to a platform wallet; that is expected for this purpose but is a high-impact action that users must explicitly authorize.
Install Mechanism
Instruction-only / TypeScript source included; no download-from-URL installs or remote execution steps. package.json and TS file are present but there is no high-risk install mechanism. Required binary 'curl' is reasonable for the curl examples.
Credentials
The declared required env vars (SOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, SOLANA_PRIVATE_KEY, SOLPAW_API_URL) mostly make sense: API key and creator wallet for the service. But SOLANA_PRIVATE_KEY is flagged as required even though the provided TypeScript code never uses it (the code does not perform local signing). Asking for a private key is high-sensitivity and should only be requested if local signing is actually implemented. That mismatch is disproportionate and risky if users supply their main wallet key.
Persistence & Privilege
The skill is not always-enabled, it is user-invocable only, and model invocation is disabled (so it cannot autonomously run). It does not request system-wide config paths or try to modify other skills. No persistence/privilege escalation indicators.
如何使用
  1. 确保已安装 OpenClaw(本地或 Docker 部署)
  2. 在对话框中输入安装命令:/install solpaw-launcher
  3. 安装完成后,直接呼叫该 Skill 的名称或使用 /solpaw-launcher 触发
  4. 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v3.0.2
- Added strong security guidance and warnings regarding private key usage; recommend dedicated ephemeral wallets for launches. - Enforced explicit user-invocation only—skill may not be called autonomously by agents. - Updated prerequisites: `SOLPAW_API_URL` must be set in environment variables. - Disabled model invocation: now requires explicit user action. - Expanded and clarified security section on transaction signing, API keys, environment variables, and daily launch limits. - Revised constraints to emphasize no logging or transmitting of private keys and stricter user-approval requirements.
v3.0.1
solpaw-launcher 3.0.1 - Added comprehensive user guide for launching Solana tokens via SolPaw, including prerequisites, fee details, and full command-line/SDK steps. - Clarified environment variable requirements: SOLPAW_API_KEY, SOLPAW_CREATOR_WALLET, and SOLANA_PRIVATE_KEY. - Documented new workflow: register agent, obtain CSRF token, pay launch fee, upload image, and launch token with agent wallet as onchain creator. - Outlined constraints and best practices for safe token launches (approval, limits, image use). - Included code examples for both cURL and TypeScript SDK usage, enhancing developer onboarding.
元数据
Slug solpaw-launcher
版本 3.0.2
许可证
累计安装 2
当前安装数 2
历史版本数 2
常见问题

Solpaw-Launcher 是什么?

Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 931 次。

如何安装 Solpaw-Launcher?

在 OpenClaw 或 Claude Code 对话框中运行命令「/install solpaw-launcher」即可一键安装,无需额外配置。

Solpaw-Launcher 是免费的吗?

是的,Solpaw-Launcher 完全免费(开源免费),可自由下载、安装和使用。

Solpaw-Launcher 支持哪些平台?

Solpaw-Launcher 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。

谁开发了 Solpaw-Launcher?

由 LvcidPsyche(@lvcidpsyche)开发并维护,当前版本 v3.0.2。

推荐 Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191115 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 留言讨论