← 返回 Skills 市场
Solpaw Interaction Skill
作者
LvcidPsyche
· GitHub ↗
· v0.1.1
905
总下载
0
收藏
1
当前安装
1
版本数
在 OpenClaw 中安装
/install solpaw-skill-v2
功能描述
Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator.
安全使用建议
Before installing, consider the following:
- Do not store your main Solana private key in an environment variable for a third-party skill. Prefer a dedicated wallet with minimal funds or an offline/hardware signing flow.
- Verify whether the skill will perform local signing (/tokens/launch-local) or server signing (/tokens/launch). The code provided posts to /tokens/launch (server-side signing) which contradicts the docs that promise your wallet as the on-chain creator. Ask the author to confirm and/or change the code to use the local signing endpoint.
- If you must test, create a throwaway wallet with <=0.15 SOL and test the flow first; never give this skill access to high-value keys.
- Limit autonomous invocation: disable autonomous invocation for this skill or remove SOLANA_PRIVATE_KEY from the agent environment so it cannot sign without explicit manual steps.
- Audit the upstream repository (github links are provided) and confirm the API endpoint and platform wallet are legitimate and match what is documented. Confirm CSRF/payment verification behavior on the server side.
- If you need a safer setup: perform the signing step entirely offline (sign transaction locally), then manually submit the signed transaction via curl, keeping the skill's API key separate.
Given the contradictions in docs vs code and the sensitive env var required, proceed only after clarifying the signing model and using a low-value test wallet.
功能分析
Type: OpenClaw Skill
Name: solpaw-skill-v2
Version: 0.1.1
The skill is classified as suspicious due to its explicit requirement for the `SOLANA_PRIVATE_KEY` environment variable, which the OpenClaw agent is instructed to use for local transaction signing. While the skill's design emphasizes local signing (preventing direct server-side exposure of the key), exposing a private key to an AI agent environment, as detailed in `SKILL.md`, `skill.json`, and `README.md`, represents a significant security risk. There is no clear evidence of intentional malicious behavior like exfiltration by the skill itself, but the inherent risk of handling such a sensitive credential by an autonomous agent warrants a 'suspicious' classification. All network communication is directed to `https://api.solpaw.fun`.
能力评估
Purpose & Capability
The skill claims to let an agent launch tokens with the user's wallet as the on-chain creator (local signing). Requiring SOLPAW_API_KEY and a creator wallet is reasonable, but the TypeScript implementation posts to /tokens/launch (server-side signing / 'lightning' endpoint) rather than the documented /tokens/launch-local. That makes the stated guarantee ('your wallet is the onchain creator') inconsistent with the implemented API call.
Instruction Scope
SKILL.md gives concrete curl steps for registering, obtaining a CSRF token, sending 0.1 SOL to a platform wallet, uploading images, and building/signing transactions locally. Those steps are scoped to the described task. However, the README/SDK examples and the SKILL.md emphasize local signing while the included code uses the server signing endpoint — a mismatch that gives the agent discretion to use a server-signed flow unless callers intentionally use the local flow.
Install Mechanism
No install script or external downloads are present; the skill is instruction-only plus a TypeScript file. Required binary is only curl. This is low risk from an install perspective.
Credentials
The skill requires SOLPAW_API_KEY and SOLPAW_CREATOR_WALLET (expected) and also SOLANA_PRIVATE_KEY (very sensitive). Requesting a private key is proportionate if the skill truly performs local signing only — but given the code calling the server-side launch endpoint, the private key requirement is not clearly justified and could be abused to sign/submit transactions unexpectedly.
Persistence & Privilege
always:false and user-invocable:true (normal). But disable-model-invocation:false means the agent could invoke the skill autonomously; combined with an environment-held private key, that gives an autonomous agent the ability to sign and submit transactions and spend funds. This combination increases the blast radius if the skill behaves unexpectedly or is misused.
如何使用
- 确保已安装 OpenClaw(本地或 Docker 部署)
- 在对话框中输入安装命令:
/install solpaw-skill-v2 - 安装完成后,直接呼叫该 Skill 的名称或使用
/solpaw-skill-v2触发 - 根据 Skill 的参数说明提供必要输入,即可获得结构化输出
版本历史
v0.1.1
- Added full documentation for launching Solana tokens on Pump.fun using the SolPaw platform
- Clarified the 0.1 SOL one-time platform fee and wallet requirements
- Detailed command-line and TypeScript SDK usage examples
- Listed all required environment variables for successful operation
- Outlined step-by-step instructions for registration, fee payment, image upload, and token launch
- Specified key constraints and best practices for safe and successful token launches
元数据
常见问题
Solpaw Interaction Skill 是什么?
Launch Solana tokens on Pump.fun via the SolPaw platform. 0.1 SOL one-time fee. Your wallet is the onchain creator. 它是一个面向 Claude Code / OpenClaw 的 AI Agent Skill 插件,目前累计下载 905 次。
如何安装 Solpaw Interaction Skill?
在 OpenClaw 或 Claude Code 对话框中运行命令「/install solpaw-skill-v2」即可一键安装,无需额外配置。
Solpaw Interaction Skill 是免费的吗?
是的,Solpaw Interaction Skill 完全免费(开源免费),可自由下载、安装和使用。
Solpaw Interaction Skill 支持哪些平台?
Solpaw Interaction Skill 跨平台运行,可在任意部署了 OpenClaw / Claude Code 的环境中使用(cross-platform)。
谁开发了 Solpaw Interaction Skill?
由 LvcidPsyche(@lvcidpsyche)开发并维护,当前版本 v0.1.1。
推荐 Skills