ScanHood β open-source safety layer
This is the actual code running live behind scanhood.xyz, a
safety and analytics layer for Robinhood Chain
(chain ID 4663). Published so the detection logic can be read and audited
directly, instead of trusted as a black box.
No external security API covers this chain (GoPlus rejects chain 4663, GMGN's
API is walled off), so every check here runs on-chain, from scratch.
What's in here
honeypot/scan.js β the honeypot/rug detector. Simulates a real buy +
sell round-trip via a single eth_call (no gas spent, nothing deployed):
it constructs a small contract whose constructor buys the token, tries to
sell it, and reverts with the encoded result. That revert-with-data trick is
the whole mechanism β read the file, it's under 150 lines.
api/server.js β the REST API (/api/scan, /api/safe-launches,
/api/search, /api/ohlcv, /api/quote, /api/launch, /api/watchlist).
Composes the honeypot result with an LP-lock check (who actually controls
the liquidity), contract-verification status, and deployer-reputation
lookup into one PASS / CAUTION / DANGER verdict.
mcp/server.js β a Model Context Protocol
server exposing the same API as native tools, so an agent (Claude, etc.) can
call scan_token, safe_launches, build_launch_tx, etc. directly instead
of hand-rolling HTTP calls.
Live docs with request/response examples: https://scanhood.xyz/docs
Architecture, honestly
βββββββββββββββ
agents βββΆβ mcp/server ββββΆ api/server βββΆ honeypot/scan (eth_call sim)
humans βββΆβ (MCP) β β ββββΆ Blockscout (verification, LP holders)
βββββββββββββββ β ββββΆ DexScreener (price/liquidity/volume)
βΌ
optional data feeds (deployer reputation,
other-launchpad allowlists, RWA issuer set β
each is a separate cron-refreshed collector,
not included in this repo, degrades gracefully
to "unknown" if absent)
Everything marked "optional" in .env.example is a static JSON file your own
cron/collector can produce in whatever shape matches the field names read in
api/server.js β the API itself never assumes a specific pipeline for them.
Run it
npm install
cp .env.example .env
npm run api
npm run mcp
node honeypot/scan.js 0xYourTokenAddress
What's not in here, and why
- The launchpad contracts. ScanHood's no-rug launchpad is a fork of the
open-source Pons locked-LP factory β that's upstream's
code to publish, not ours to re-vendor here.
api/server.js's /api/launch
just needs a factory address + fee in .env; point it at any factory with
the same launchToken/predictTokenAddress signature.
- The frontend. This repo is the audit surface (the "how do we decide
PASS/CAUTION/DANGER" logic) β not the site's UI.
- Trade execution / custody. Nothing here holds a private key.
/api/launch
and /api/quote only ever return unsigned transactions or read-only quotes
for you to sign yourself.
Disclaimer
These are automated on-chain heuristics. They reduce risk; they are not a
guarantee. "Sellable" means the honeypot simulation passed, not "safe to buy."
Always do your own research.