security: remove hardcoded Uniswap API key from public plugin doc#83
Open
memosr wants to merge 1 commit into
Open
security: remove hardcoded Uniswap API key from public plugin doc#83memosr wants to merge 1 commit into
memosr wants to merge 1 commit into
Conversation
skills/base-mcp/plugins/uniswap.md:28 contained a live x-api-key value committed to the public repo. Anyone who clones can extract it; once abused, the key gets rate-limited or revoked, silently breaking the plugin for every legitimate user copying this example. It also normalizes embedding raw secrets in skill files, which is the exact opposite of what plugin authors should learn from a reference implementation. Replaced with <YOUR_UNISWAP_API_KEY> placeholder (matching the <*> convention already used elsewhere in the same file) and added a one-line note under the auth section pointing to https://hub.uniswap.org/ with a reminder not to commit credentials. The shared key in the public repo should also be rotated out of band by whoever issued it.
Collaborator
🟡 Heimdall Review Status
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
skills/base-mcp/plugins/uniswap.mdline 28 contains a livex-api-keyvalue committed to the public repository:"x-api-key": "NeoYO3V50_koJAipDEalYWbMO1XMaFPAQmpOm6_Npo0"
This is a real credential anyone who clones the repo can extract.
Why this matters
Immediate risk: the key can be abused by anyone, which leads to rate-limiting or revocation. Once that happens, every user copying this plugin example as a starting point sees auth failures with no indication that the cause is a shared-and-burned credential.
Long-term risk: this file is positioned as a reference plugin. Anyone authoring a new Base MCP plugin uses it as a template. Shipping a hardcoded secret in the reference teaches plugin authors that embedding raw credentials in skill files is the expected pattern.
The fix
The placeholder format
<YOUR_*>matches the existing convention used elsewhere in the same file (e.g.,<address>,<base units>).Also added a one-line note under the
## Auth Headerssection:Follow-up recommendation
The leaked key should be rotated out of band by whoever originally issued it, independent of this PR. Removing it from the source tree alone doesn't invalidate the key; only the issuer can do that.
Verification
skills/base-mcp/plugins/uniswap.md<*>convention in the file