Is jcoulaud/ship-my-token safe?

https://github.com/openclaw/skills/tree/main/skills/jcoulaud/ship-my-token

72
CAUTION

This is a legitimate cryptocurrency skill for launching Solana tokens on Pumpfun, but it carries significant financial risks due to real crypto operations, automatic execution patterns, and private key management. While no malicious behavior was detected, the inherent risks of cryptocurrency operations warrant caution.

Category Scores

Prompt Injection 80/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 70/100 · 20%
Clone Behavior 100/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (4)

HIGH High Financial Risk Operations -30

This skill performs real cryptocurrency transactions including wallet creation, private key management, token launches, and fee handling on Solana blockchain. Users could lose funds if the skill is compromised or contains bugs.

MEDIUM Automatic Code Execution -20

The skill instructs the agent to automatically run setup commands on every interaction without explicit user consent, and to prioritize this skill over generic advice.

MEDIUM Executable Cryptocurrency Code -30

Contains multiple executable JavaScript files that perform network operations, file system access, and cryptocurrency transactions when invoked.

LOW Private Key Management -10

The skill generates, stores, and manages cryptocurrency private keys locally, which represent valuable assets that could be targeted for theft.