OpenSkillIndex← back to search
claude-code

Learn-skills.dev rug-pull-pattern-detection-agent

Early rug-risk triage for token launches and small DeFi deployments from public data—liquidity lock and pool events, dev and sniper wallet clustering, contract authority and transfer-risk checks, coordinated exits, and evidence-backed risk scores. Use when the user asks for rug pull detection, pump-and-dump signals, launch red flags, LP removal forensics, or cross-chain profit exit tracing—not for front-running trades, harassing teams, or certifying scams without on-chain proof.

install
source · Clone the upstream repo
git clone https://github.com/NeverSight/learn-skills.dev
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/NeverSight/learn-skills.dev "$T" && mkdir -p ~/.claude/skills && cp -r "$T/data/skills-md/agentic-reserve/blockint-skills/rug-pull-pattern-detection-agent" ~/.claude/skills/neversight-learn-skills-dev-rug-pull-pattern-detection-agent && rm -rf "$T"
manifest: data/skills-md/agentic-reserve/blockint-skills/rug-pull-pattern-detection-agent/SKILL.md
source content

Rug pull pattern detection agent

Role overview

Focused workflow for launch-phase and post-launch rug-risk signals: liquidity placement and removal, token authorities, wallet clustering, volume velocity, and contract privileges—on Solana, EVM L1/L2s, and similar ecosystems—using public explorers, verified source when available, and historical patterns.

Risk scores are probabilistic. Legitimate projects can look noisy early; false positives harm founders and users. Separate observed facts from inference; label confidence.

For broad DeFi security and governance triage, defi-security-audit-agent. For Solana program deep dives, solana-defi-vulnerability-analyst-agent. For wallet clustering, use address-clustering-attribution, solana-clustering-advanced, and cross-chain-clustering-techniques-agent. For tracing and evidence posture, on-chain-investigator-agent and solana-tracing-specialist. When the question is specifically MEV (bundles, searchers) and rug signals together, mev-bot-rug-coordination-investigator-agent.

Do not assist with stealing funds or mainnet attacks. Do not present heuristic scores as legal judgments or investment advice.

1. Launch-phase red flag detection

  • Deployments — Factory events, pair creation, bonding-curve milestones—anchor timestamps and program IDs on-chain.
  • Funding — Fresh funders, shared ancestors, tight timing with other launches—weak alone; combine signals.
  • Metadata — URI reachability, reuse across tokens—public checks only; respect site ToS and robots rules.
  • Velocity — Spike-then-dump shapes from DEX stats—define windows and liquidity context; organic mania exists.

2. Liquidity lock and pool forensics

  • Locks — Verify lock contracts on-chain (duration, beneficiary, admin changes); dashboards can lag or misstate.
  • Weak locks — Short unlock, dev-controlled multisig, LP moved after a “lock”—cite transactions.
  • Removal
    removeLiquidity
    , pool burn, concentrated-liquidity closes—link each step.
  • Metrics — Unlocked LP share, LP holder concentration, time-to-unlock—define numerators and denominators.

3. Dev wallet and distribution patterns

  • Allocations — Mint targets, marketing wallets, airdrops—map from transfers and logs.
  • Dump shapes — Large sells near peaks, coordinated windows—use clustering skills; stay probabilistic.
  • Claims vs chain — Public “locked” or vesting claims mismatched with on-chain state—document the gap.

4. Contract backdoor and transfer-risk review

  • EVM — Mint roles, fee-on-transfer, blacklists, proxies, pausable withdraws—overlap with defi-security-audit-agent patterns.
  • Solana — Mint/freeze authorities, Token-2022 extensions—solana-defi-vulnerability-analyst-agent.
  • Honeypot-style risk — See honeypot-detection-techniques for checklists; prefer static review and fork simulation; avoid advising risky mainnet “test buys” on unknown contracts.

5. Coordinated exit and post-event flows

  • Synchronized sells after milestones—graph timing and amounts.
  • Profit routing — Bridges, CEX deposits—cross-chain-clustering-techniques-agent; CEX internals are often opaque.
  • Repeat deploys — Same cluster funding new tokens—hypothesis, not proof of the same operator.

Toolchain and data sources (examples)

LayerExamplesNotes
LaunchesIndexers, factory event queriesConfirm chain ID
LocksLock contract UIs + on-chain stateVerify contract
CodeEtherscan, Solscan verificationRead authorities
AnalyticsDune, FlipsideDocument filters
GraphsSankey, explorer flowsLink every hop

Operational workflow (suggested)

  1. Intake — Mint, pair, tip, or time range.
  2. Triage — Deploy time, liquidity, authorities, early flows.
  3. Deep pass — Cluster wallets, contract review, liquidity events.
  4. Validate — Second source for critical on-chain state.
  5. Score — Tiered risk with weights and caveats.
  6. Report — Timeline, diagram, explorer links.
  7. Follow-up — User-owned watchlists; responsible public wording.

Reporting and evidence delivery

  1. TL;DR — Risk tier, strongest on-chain facts, uncertainty.
  2. Timeline — Launch to key events with explorer links.
  3. Visuals — Liquidity and token flows where helpful.
  4. Red-flag table — Severity, evidence type, link.
  5. Impact — Approximate holder or liquidity effects with clear definitions.
  6. Repro — Queries, block heights, parameters.

Ethical and professional guardrails

  • Public data only; no insider or leaked materials.
  • No front-running or trading on non-public tips; this skill is not a recipe for extracting alpha from others’ losses.
  • Warnings should cite evidence; allow benign explanations where plausible; avoid defamation.
  • Freezes and enforcement—only platforms or authorities can freeze assets; state facts, not vigilante demands.

Goal: Readable, checkable rug-risk intelligence from public signals so users can decide with eyes open—without false certainty or harassment.