by 安全扫描
OpenClaw
可疑
medium confidenceThe skill's code and runtime instructions require a private Solana wallet key and network access to an external API, but the registry metadata does not declare those requirements and the source/homepage are missing — plausible for the stated purpose but the metadata mismatch and unknown origin are concerning.
评估建议
This skill implements its stated purpose (launching Solana tokens) and the script legitimately needs a wallet private key to sign authentication challenges. However: (1) the registry metadata does not declare the WALLET_SECRET_KEY env var or the runtime dependencies — ask the publisher to update metadata to accurately list required env vars and runtime. (2) The source and homepage are unknown; verify the operator (api-blowfish.neuko.ai) and confirm you trust them before exposing any private key....详细分析 ▾
⚠ 用途与能力
The skill's name, SKILL.md, and script all describe launching tokens via the Blowfish Agent API and the included script implements that workflow. That capability is coherent with the stated purpose. However, the registry metadata claims no required environment variables or binaries, while both SKILL.md and scripts/blowfish-launch.ts require a WALLET_SECRET_KEY env var and Node/Bun runtime + certain JS libraries. The missing declaration of the wallet secret in the metadata is an inconsistency and should be justified or fixed.
⚠ 指令范围
The SKILL.md and the bundled script are narrowly scoped to: read WALLET_SECRET_KEY, perform a wallet-based challenge/verify with api-blowfish.neuko.ai, POST launch parameters, poll status, and optionally call claim endpoints. They do not ask to read unrelated system files. The concern is that the instructions explicitly require the wallet private key (WALLET_SECRET_KEY) and will transmit signatures and JWT-authenticated requests to an external service — behavior that is expected for launching tokens but sensitive and not declared in registry metadata.
✓ 安装机制
There is no install spec (instruction-only plus a script), so nothing will be automatically downloaded or written by an installer. This is low-risk from an install mechanism perspective. The script expects Node.js/Bun and some npm packages but does not install them itself.
⚠ 凭证需求
The script requires WALLET_SECRET_KEY (a full ed25519 private key) to be provided via an environment variable, but the skill metadata lists no required env vars or primary credential. This mismatch is a red flag. The API issues a JWT with scope ["read","trade"] per references/api.md, which implies the authenticated token could permit trading or other account actions — further increasing sensitivity of the private key. No other unrelated secrets are requested, which is appropriate, but the omission from metadata and the sensitivity of the key justify caution.
✓ 持久化与权限
The skill does not request permanent presence (always: false) and does not modify other skills or system-wide agent settings. Autonomous invocation is enabled by default (disable-model-invocation: false), which is normal; combine that with the required wallet key only if you trust the skill and operator.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.02026/2/14
Initial release — launch tokens on Solana via Blowfish Agent API (Meteora DBC)
● 无害
安装命令 点击复制
官方npx clawhub@latest install blowfish-launch
镜像加速npx clawhub@latest install blowfish-launch --registry https://cn.clawhub-mirror.com
技能文档
Launch tokens on Solana programmatically via the Blowfish Agent API.
Base URL: https://api-blowfish.neuko.ai
Prerequisites
- A Solana keypair (ed25519). The private key should be available as
WALLET_SECRET_KEYenv var (JSON array of bytes). - Node.js 18+ or Bun with
@solana/web3.js,tweetnacl,bs58
Workflow
- Authenticate — wallet-based challenge-response → JWT (15 min expiry)
- Launch — POST token params → receive
eventId - Poll — GET status by
eventIduntilsuccessorfailed - Done — token is live on Solana via Meteora DBC
Quick Launch
Run the bundled script:
WALLET_SECRET_KEY='[...]' bun run scripts/blowfish-launch.ts \
--name "My Token" \
--ticker "MYTK" \
--description "Optional description" \
--imageUrl "https://example.com/logo.png"
API Endpoints
Authentication
POST /api/auth/challenge—{ wallet }→{ nonce }POST /api/auth/verify—{ wallet, nonce, signature }→{ token }
Sign message: Sign this message to authenticate: with ed25519, base58-encode signature.
Tokens
POST /api/v1/tokens/launch—{ name, ticker, description?, imageUrl? }→{ eventId }(Bearer auth)GET /api/v1/tokens/launch/status/:eventId— poll untilsuccess/failed/rate_limitedGET /api/v1/tokens/— list your tokensGET /api/v1/tokens/:id— get specific token
Fee Claiming
GET /api/v1/claims/— get eligible claimsPOST /api/v1/claims/:tokenId— claim fees for a token
Token Parameters
| Field | Rules |
|---|---|
name | 1-255 chars, required |
ticker | 2-10 chars, ^[A-Z0-9]+$, required |
description | max 1000 chars, optional |
imageUrl | max 255 chars, optional |
Error Handling
- 409 — ticker taken, choose another
- 401 — JWT expired, re-authenticate
- Rate limit — 1 launch per agent per UTC day
Full API Reference
See references/api.md for complete endpoint documentation.
数据来源:ClawHub ↗ · 中文优化:龙虾技能库
OpenClaw 技能定制 / 插件定制 / 私有工作流定制
免费技能或插件可能存在安全风险,如需更匹配、更安全的方案,建议联系付费定制