Real-time Pump.fun token alerts for Solana traders. New launches, graduations, volume spikes. For trading bots, Discord, Telegram, AI agents.
Security Analysis
medium confidenceThe skill's functionality matches its description, but there are inconsistencies around declared environment variables and an opaque third‑party API endpoint that warrant caution before installing or providing bot credentials.
Name/description (Pump.fun / Solana token alerts) aligns with the included script and examples: the bash script polls PRISM endpoints and the SKILL.md shows Telegram/Discord integration examples. However, the skill metadata declares no required env vars while SKILL.md documents TELEGRAM_BOT_TOKEN, DISCORD_BOT_TOKEN, channel IDs, and PRISM_URL — an inconsistency in what the package says it needs versus what instructions demonstrate. PRISM_URL defaults to a third‑party Railway app (strykr-prism.up.railway.app); that external service is central to the skill but the source/homepage are unknown.
SKILL.md and scripts stay within alerting functionality: polling PRISM API, formatting alerts, and sending to bots. The included watch loop stores seen tokens in /tmp/prism_seen_tokens.txt and polls every 30s. SKILL.md includes code examples that would transmit token data to Telegram/Discord channels (expected for alerts). Instructions do not direct the agent to read unrelated files or other credentials, but they do assume use of external messaging services (which require tokens).
No install spec — instruction-only plus a small shell script included. Nothing is downloaded from arbitrary URLs or written to unusual system locations by an installer. Risk from installation mechanism is low.
The skill metadata lists no required env vars, but SKILL.md documents PRISM_URL, TELEGRAM_BOT_TOKEN, TELEGRAM_CHANNEL_ID, DISCORD_BOT_TOKEN, and DISCORD_CHANNEL_ID. Requiring messaging bot tokens is expected for integrations, but the metadata failing to declare them reduces transparency. Also the default PRISM_URL points to a third‑party hosted endpoint (Railway) — all alert/request data will flow through that service unless you change PRISM_URL. Requesting or entering bot tokens into code that communicates with an external (unknown) API increases risk of credential exposure if that service or its operator is untrusted.
always is false and the skill does not request elevated or persistent platform privileges. The script writes only a temporary /tmp/prism_seen_tokens.txt to deduplicate alerts. It does not modify other skills or system settings.
Guidance
This skill appears to do what it says (poll a PRISM API and produce alerts), but exercise caution before supplying bot credentials or trusting the default PRISM endpoint. Things to check before installing or running: - Verify the PRISM API: the default URL (strykr-prism.up.railway.app) is a third‑party host with no homepage provided; confirm the operator and trustworthiness. Consider self‑hosting or pointing PRISM_URL at a trusted endpoint. - The package metadata does not declare the TELEGRAM/DISCORD env vars shown in the README. Expect to need your own TELEGRAM_BOT_TOKEN / DISCORD_BOT_TOKEN and channel IDs to send alerts — do not paste tokens into unknown web UIs; run the bot locally or in a controlled environment. - Inspect and run the included scripts locally or inside a sandbox/container. The script only uses curl/jq and writes a dedupe file under /tmp, but network requests go to the PRISM service so review traffic if you are concerned about data leaving your environment. - Prefer creating your own messaging bots and supply only those tokens. If you must use an external Prism provider, verify TLS, ownership, and privacy policy; avoid sharing credentials with unknown operators. If you want a higher assurance verdict, provide: the upstream repository or homepage for the PRISM API and the skill, and confirmation of who operates the strykr-prism endpoint; with that info the assessment can move to benign if the operators are trustworthy.
Latest Release
v1.1.2
Rebranded to OpenClaw
More by @NextFrontierBuilds
Published by @NextFrontierBuilds on ClawHub
