clawpump

[Skill Scanner] Backtick command substitution detected Documentation appears coherent with the claimed functionality (token launches, swaps, arbitrage, earnings). No explicit code-level malware or obfuscation is present in this skill document. However there are notable supply-chain/security risks: the service requires users to send SOL to a hardcoded platform wallet for self-funded launches and returns server-built serialized transactions that users are instructed to sign — both require high trust in the operator and could be abused for theft if the operator or API is malicious or compromised. Recommend treating the platform as untrusted until verified: inspect transaction contents locally before signing, use hardware wallets, and verify the platform wallet address through independent channels. LLM verification: The SKILL.md is documentation for a token-launch and swap service that requires users to upload images, provide agent/wallet identifiers, sign serialized transactions returned by the service, and (in a fallback) send SOL to a hardcoded platform wallet. There is no code-level malware in the document itself, but the described flows involve direct financial actions (on-chain transfers and signing platform-provided transactions). Because of the hardcoded payment address and the risk inherent in sign