Is brandonhay/pumpfun-launch safe?
https://github.com/openclaw/skills/tree/main/skills/brandonhay/pumpfun-launch
The pumpfun-launch skill is a functional, well-structured Solana token launcher with genuine safety guardrails. The code is clean with no prompt injection, hidden instructions, or credential-scraping logic. However, the skill operates in the financial domain: it handles a live Solana private key, executes irreversible on-chain transactions spending real SOL, and accepts arbitrary image URLs that can be weaponized as beacons. The dependency chain uses semver ranges creating a supply chain update window. Users should understand this skill can spend real money and create permanent on-chain artifacts before installation.
Category Scores
Findings (8)
HIGH Wallet Private Key In Scope -15 ▶
The skill reads WALLET_PRIVATE_KEY from the agent's environment via dotenv and process.env. This is a live Solana signing key controlling real funds. Any compromise of the agent process, memory, or environment variables would expose this key. The key is used to sign transactions broadcast to Solana mainnet.
HIGH Executes Irreversible Real Financial Transactions -15 ▶
The skill calls sdk.createAndBuy() which broadcasts a signed transaction to Solana mainnet. Token creation costs real SOL (~0.02 SOL minimum), is permanent, and cannot be undone. A confused agent or ambiguous user prompt could result in unintended token launches.
MEDIUM Arbitrary URL Fetch via --image Parameter -10 ▶
The loadImage() function accepts any HTTP/HTTPS URL as the image source and fetches it at runtime. If an attacker can influence the --image argument (e.g., via prompt injection targeting the agent), the skill will make an outbound HTTP request to an attacker-controlled server, revealing agent IP and confirming execution. The private key is not leaked via this vector but the beacon is notable.
MEDIUM Semver Range Dependencies Enable Automatic Updates -10 ▶
All dependencies in package.json use the ^ (caret) semver prefix, meaning bun install may pull newer minor/patch versions automatically. If pumpdotfun-sdk or @solana/web3.js is compromised in a future patch release, the skill would silently pick up malicious code without any user action.
MEDIUM Financial Loss Risk from Agent Misinterpretation -20 ▶
The skill operates on Solana mainnet with real money. While SKILL.md mandates confirmation and dry-run steps, agents can misinterpret ambiguous user requests (e.g., 'launch my token idea') and proceed through confirmation steps autonomously. The cost is irreversible: SOL spent on fees and initial buy cannot be recovered.
LOW Credential Files Read Post-Installation -15 ▶
Auditd PATH records show /home/oc-exec/.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were all accessed in sequential order (items 7034-7039) approximately 4 seconds after skill installation completed. The canary integrity monitor reports all files intact (unmodified). The sequential access pattern is consistent with the Oathe audit system's post-install canary verification pass, not with the skill itself (which only reads from its own directory). Flagged for completeness.
LOW RPC Endpoint Is User-Controlled and Unvalidated -5 ▶
HELIUS_RPC_URL is read directly from the .env file with no validation of the domain or scheme. A compromised .env file or malicious setup instruction could redirect all Solana RPC traffic — including signed transactions — through a third-party proxy. Practical risk is low if the user sets up their own .env, but noted for completeness.
INFO Protective Agent Instructions Present 0 ▶
SKILL.md includes a clearly labeled IMPORTANT section instructing the agent to always confirm with the user before execution, always run --dry-run first, warn about real SOL costs, and report results transparently. These instructions reduce (but cannot eliminate) the risk of accidental financial transactions.