one-click-token-launch
Pass
Audited by Gen Agent Trust Hub on Apr 15, 2026
Risk Level: SAFE
Full Analysis
- [COMMAND_EXECUTION]: The skill uses
subprocessandasyncio.create_subprocess_execto interact with the localonchainosCLI. This is used for checking wallet status, resolving addresses, and performing signed contract calls or transaction broadcasts. All calls use the list-based argument format, preventing shell injection. - [EXTERNAL_DOWNLOADS]: The skill interacts with external APIs including PumpPortal, Bags.fm, Moonit, and LetsBonk to build transactions. It also uses IPFS pinning services (pump.fun free endpoint and Pinata) for metadata storage. These network operations are consistent with the skill's stated purpose of cross-chain token deployment.
- [DATA_EXFILTRATION]: Token metadata (name, symbol, description, and image) is sent to external IPFS and launchpad APIs as part of the token creation process. This is the primary function of the skill and does not involve sensitive user credentials or unauthorized data access.
- [SAFE]: The skill implements a robust security model, utilizing Trusted Execution Environment (TEE) signing via the host's agentic wallet. It enforces a strict confirmation boundary, requiring explicit user input before any real on-chain transaction is executed in live mode. It also includes a Paper Mode (DRY_RUN) as the default state to prevent accidental financial loss during initial testing.
Audit Metadata