feat: add OpenSea plugin for swaps, marketplace, and drops

[CodySearsOS]

No description provided.

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 0 Sum 1

[stephancill]

Thanks for the submission. The plugin is well-structured and the Seaport fulfillment path maps into send_calls. A couple of correctness issues need to be addressed before merge:

Required

• Revert the SKILL.md plugins-table row. Plugins shouldn't add themselves to the registry — maintainers will register them when the program is ready. Limit the PR to plugins/opensea.md plus the net-new tag-vocabulary additions noted below.
• requires.allowlist is [], but the plugin makes direct HTTPS calls to api.opensea.io and uses the OpenSea MCP at mcp.opensea.io. Add both hosts so chat-only surfaces can reach them.
• The REST fulfillment path returns decoded input_data (a struct) plus a function signature — not hex calldata. The documented curl POST /listings/fulfillment_data -> send_calls path therefore requires ABI-encoding fulfillAdvancedOrder before send_calls. Either document the encoding step explicitly, or restrict fulfillment to the CLI path (which encodes internally).

Minor

• Tags nft, marketplace, drops are net-new; add them to the shared vocabulary list in skills/base-mcp/references/plugin-spec.md (the tags entry under "Choosing each field's value"), as the spec instructs when introducing a new tag.
• cliPackage should be the full invocation (npx @opensea/cli@latest).
• Free-tier rate limits are stated as 120/60/60; the API returns 60/5/5. Key creation via POST /api/v2/auth/keys is additionally limited to 1 key/hour, so on-demand minting will fail on repeat — document this.
• get_collection_stats is stale relative to the live MCP tool catalog; verify tool names against the catalog.

[youssefea]

Note: this is an AI-generated review. An automated, read-only API/endpoint health check — not a human review.

Thanks for the submission — nice work on the OpenSea plugin, and the CLI/MCP/contracts all check out. As part of reviewing the Wave 2 submissions I ran an automated, read-only health check against the documented endpoints. A couple of items are worth tightening before merge:

Findings

• Major — requires.allowlist is empty ([]), but the plugin contacts both api.opensea.io and mcp.opensea.io/mcp. With an enforced host allowlist these calls would be blocked. Add both hosts.
• Major — send_calls value mapping. All four ## Submission mappings (swap/mint/fulfillment/cross-chain) copy the API's decimal-string value (e.g. "20000000000000000", "50000000000000000") verbatim into calls[].value. send_calls expects a hex quantity (0x...); a decimal string will be misread or rejected. Document the decimal→hex conversion.
• Minor — Auth claim overbroad. The doc says "All OpenSea endpoints require an x-api-key header", but GET https://api.opensea.io/api/v2/collections and /collections/{slug}/stats return 200 unauthenticated (and with an invalid key). Auth is only enforced on write endpoints (POST .../listings/fulfillment_data → 401 Missing an API Key...) and on MCP tool calls (incl. get_token_swap_quote → isError: This tool requires an OpenSea API key).
• Minor — Swap-quote calldata shape unverified read-only: get_token_swap_quote is key-gated, so the documented swap.actions[0].transactionSubmissionData shape feeding send_calls could not be confirmed live. Verify to/data/value/chain.identifier field names against a real quote.
• Minor — MCP param drift: live get_mint_action schema requires only collectionSlug, quantity, minterAddress (doc also lists chain, contractAddress); get_drop_details takes only collectionSlug (doc lists minter).
• Verified healthy: @opensea/cli@1.10.0 exists (ProjectOpenSea repo); Seaport 1.6 0x0000000000000068F116a894984e2DB1123eB395 has code on Ethereum and Base; USDC 0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913 has code on Base; POST /api/v2/auth/keys is a real no-signup key endpoint (201, 1 key/hr); the MCP server is live (serverInfo: OpenSea Data API) and exposes every documented tool name.

What was checked

Read-only only — no transactions submitted, no funds moved, no API keys used. Probed: DNS/TLS for api.opensea.io and mcp.opensea.io; unauthenticated and invalid-key GETs on REST read endpoints (/api/v2/collections, /collections/{slug}/stats) for status + auth behavior; empty-body POSTs on /api/v2/listings/fulfillment_data and /api/v2/offers/fulfillment_data (to observe 401 gating without submitting real data); POST /api/v2/auth/keys; a full MCP JSON-RPC handshake (initialize → tools/list → tools/call) without a key to confirm tool names/schemas and auth gating; npm view @opensea/cli; and on-chain cast code checks for Seaport 1.6 (Ethereum + Base) and USDC (Base).

Really appreciate the contribution — happy to clarify any of the above. Since this is an automated check, please double-check anything that looks unexpected on your end before changing it.

---

Generated by an AI assistant (Claude) after an automated, read-only deep analysis of the API/endpoint health documented in this plugin. It checks endpoint reachability, HTTP status codes, response shapes, auth behavior, SDK/package existence, and on-chain contract presence — it does not submit transactions or move funds. Please independently verify any finding before acting on it.