Solpaw

Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator.

Do not hand over your SOLANA_PRIVATE_KEY or set it as an environment variable for this skill until the mismatches below are resolved. Specific actions to consider before installing or using this skill: - Ask the maintainer to explain and fix the discrepancy: the SKILL.md/README recommend local signing (/tokens/launch-local + /tokens/submit) but the shipped code calls /tokens/launch (server-side signing). Confirm which mode will actually be used and why. - If you want your wallet to be the on‑chain creator, insist the code use the local-signing flow (build unsigned tx, sign locally with your key, call /tokens/submit) and that SOLANA_PRIVATE_KEY is used only locally (never sent to the API). - Until that's clarified, do not put your private key in an environment variable accessible to the agent runtime. Prefer ephemeral signing (hardware wallet, remote signing service you control, or manual signing) and test on devnet/testnet first with small amounts. - Verify the platform wallet address and the project identity off-platform (check the GitHub repo, owner, and domain registration for solpaw.fun). The platform wallet is hardcoded in docs — confirm it matches the official project and not an impostor. - Require explicit user confirmation before any payment or launch action. The skill's docs state this, but it's a policy; make sure your agent enforces a human approval step before sending funds or signing transactions. - If you must use the skill, review/replace the launchToken implementation so it uses /tokens/launch-local and /tokens/submit (or otherwise ensure private keys never leave your environment), and re-run a code audit. Because of the uncertain mismatch (private-key requirement vs server-side signing), treat this skill as suspicious until the author provides a clear explanation or the code is updated to match the documented, local-signing behavior.

Type: OpenClaw Skill Name: solpaw-skill-final Version: 0.1.1 The skill is classified as suspicious due to the explicit instruction in `SKILL.md` for the AI agent to directly handle and use the `SOLANA_PRIVATE_KEY` environment variable for signing Solana transactions. While the stated purpose is to launch tokens, which requires signing, providing an autonomous agent with direct access to a private key for transaction signing is a high-risk capability. This could lead to unauthorized financial transactions if the agent is compromised or misinterprets instructions, despite the `README.md` claiming 'Private keys never touch the server' and the `solpaw-skill.ts` code using an API endpoint where the server signs (a discrepancy with `SKILL.md`'s 'Local Mode' instructions).