Is dfinzer/opensea-mcp safe?

opensea-swap.sh reads PRIVATE_KEY from the environment, calls mcporter to fetch swap transaction calldata from OpenSea's MCP API, then executes the transaction via viem's wallet.sendTransaction() without any user confirmation step. The transaction is irreversible once submitted. An attacker who controls the MCP response (via MITM or OPENSEA_BASE_URL poisoning) or the /tmp swap quote file could redirect funds to an arbitrary address.

Both SKILL.md and references/token-swaps.md show usage examples where the private key is the 4th positional argument to opensea-swap.sh. CLI arguments are visible in system process listings (ps aux), shell history files, and audit logs. The actual script uses an environment variable (better), but the inconsistency between documentation and implementation suggests this was recently changed and not fully audited. Users following the documented examples would expose their private key in process listings.

The references/token-swaps.md file includes a 'Common Token Addresses (Base)' table that lists CLAWD (0x9f86db9fc6f7c9408e8fda3ff8ce4e78ac7a6b07) and 4CLAW (0x3b94a3fa7f33930cf9fdc5f36cb251533c947b07) alongside WETH and USDC. These tokens share branding with the openclaw skill repository publisher and are not commonly traded assets. Their prominent placement without any conflict-of-interest disclosure could nudge AI agents or users toward trading the publisher's own tokens, constituting an undisclosed financial incentive embedded in skill documentation.

Every GET and POST script reads OPENSEA_BASE_URL from the environment, defaulting to api.opensea.io. A co-installed malicious skill or environment variable injection could set this to an attacker-controlled server. All subsequent OpenSea API calls — including NFT lookups, marketplace queries, and transaction requests — would then send the user's OPENSEA_API_KEY to the attacker, along with all request payloads (wallet addresses, order hashes, transaction data).

opensea-swap.sh writes the raw MCP swap quote (including transaction destination address and calldata) to /tmp/opensea_swap_quote.json, then reads and parses it in a separate Node.js subprocess. Between the write and read, a local attacker sharing the same user account could overwrite /tmp/opensea_swap_quote.json with crafted transaction data pointing to their own wallet address, causing the subsequent sendTransaction() call to send funds to the attacker.

While using an environment variable for the private key is better than a CLI argument, environment variables for a running process are readable from /proc//environ by any process with the same UID. During the window between script startup and child process exit, the private key is accessible to all co-resident processes running as the same user.

Honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) were opened and read at 07:50:45 (before git clone) and again at ~07:51:10 (after install). The pre-clone access at audit event 1771919445 correlates with sudo process initialization. The post-install batch correlates with the audit system's post-install sweep. No content modification was detected; canary integrity check confirmed all files intact.

The skill was installed via git sparse-checkout from github.com/openclaw/skills.git. The only external TCP connection during installation was to 140.82.121.4:443 (GitHub CDN). No DNS queries to unexpected domains, no unexpected processes, and no filesystem writes outside /home/oc-exec/skill-under-test/ were observed.