diff --git a/skills/base-mcp/SKILL.md b/skills/base-mcp/SKILL.md index 6f4831f..f1cb04c 100644 --- a/skills/base-mcp/SKILL.md +++ b/skills/base-mcp/SKILL.md @@ -80,7 +80,7 @@ Plugins currently maintained alongside this skill (the **native plugins**). Use | [o1.exchange](plugins/o1-exchange.md) | Swap tokens on o1.exchange, optionally with Permit2 gasless approvals and MEV-protected routing. | Quotes, standard swaps via `send_calls`, Permit2 swaps via private relay. | Multi-chain (Base, BSC). Quotes can move and swaps are irreversible; confirm slippage and watch for low-liquidity tokens. | | [OpenSea](plugins/opensea.md) | Trade NFTs, swap tokens, or mint drops on OpenSea. | NFT buy/sell/list, token swaps, drops/minting, submit via `send_calls`. | Multi-chain (Ethereum, Base, Polygon, Arbitrum, Optimism, Avalanche). Requires an API key; trades are irreversible — confirm token, price, and slippage first. | | [Printr](plugins/printr.md) | Launch a cross-chain token on Printr. | Prepare token-creation calldata via HTTP API, submit via `send_calls`. | Multi-chain (Base, Arbitrum, Optimism, Polygon, BSC, Avalanche, Ethereum). New tokens can be illiquid; launches are irreversible. | -| [Uniswap](plugins/uniswap.md) | Swap tokens or manage Uniswap liquidity positions. | Token swaps, approval checks, V2/V3/V4 LP create/increase/decrease/collect flows. | Base only. Quotes can move; confirm slippage and token/position details before writes. | +| [Uniswap](plugins/uniswap.md) | Swap tokens or manage Uniswap liquidity positions. | Token swaps, approval checks, V2/V3/V4 LP create/increase/decrease/collect flows. | Requires a free per-operator API key from the Uniswap developer portal (see plugin `## Auth`). Quotes can move; confirm slippage and token/position details before writes. | | [Venice](plugins/venice.md) | Run private AI inference or media generation on Venice, optionally funded with x402. | Text and media inference via the Venice API, optional Base x402 wallet funding. | Base only. Requires SIWE login; inference handles personal data and paid calls are irreversible. | | [Virtuals](plugins/virtuals.md) | Create or operate Virtuals AI agents, payment cards, or agent email. | Agent management, card setup and limits, email inbox/thread actions, SIWE login. | Requires the Virtuals MCP and a signed login. Handles personal data; avoid exposing tokens, OTPs, card details, or email contents unnecessarily. | | [YO](plugins/yo.md) | View YO vaults, check positions, deposit, or request redeem on YO yield vaults. | ERC-4626 vault reads via `chain_rpc_request`, deposit, request redeem via `send_calls`. | Multi-chain (Base, Ethereum, Arbitrum). Deposits and redeems are irreversible; confirm amounts and vault before writes. | diff --git a/skills/base-mcp/plugins/uniswap.md b/skills/base-mcp/plugins/uniswap.md index 6efe665..0933ce3 100644 --- a/skills/base-mcp/plugins/uniswap.md +++ b/skills/base-mcp/plugins/uniswap.md @@ -3,7 +3,7 @@ title: "Uniswap Plugin" description: "Swap tokens and manage liquidity positions on Uniswap." tags: [dex, swap, liquidity] name: uniswap -version: 0.2.0 +version: 0.3.0 integration: http-api chains: [base] requires: @@ -20,6 +20,9 @@ risk: [slippage] > [!IMPORTANT] > Complete the short Base MCP onboarding flow defined in `SKILL.md` before calling any Uniswap endpoint. The user's wallet address — passed as `walletAddress` in every swap and LP call — is fetched lazily when needed. +> [!IMPORTANT] +> **Before calling any Uniswap endpoint, obtain an API key.** Every request needs an `x-api-key` header, and there is no shared key — each operator brings their own, generated for free on the Uniswap developer portal. See `## Auth` for the one-time setup. + ## Overview Uniswap on Base: token swaps using the proxy-approval flow (no Permit2 signing) and LP position management for V2, V3, and V4. The plugin fetches unsigned calldata from the Uniswap API, then executes transaction previews with `send_calls`. No additional MCP server is required. @@ -28,15 +31,36 @@ Uniswap on Base: token swaps using the proxy-approval flow (no Permit2 signing) ## Auth -Use these headers for all requests: +Uniswap's Trading and LP APIs require a per-operator API key, sent as the `x-api-key` header on every request. **There is no shared or hardcoded key.** Each operator brings their own key: this binds their usage to Uniswap's developer terms, keeps rate limits (RPS) scoped to them rather than shared with everyone, and avoids one public key accumulating spam traffic. + +### Obtaining a key + +Creating a free account on the Uniswap developer portal automatically generates an API key: + +1. Open . +2. Sign up — "Continue with Google", "Continue with GitHub", or "Continue with email". +3. A key is issued automatically on account creation. Copy it from the dashboard. + +Account creation can't be scripted through this plugin, so complete it one of two ways: + +- **Operator-driven (default).** Ask the operator to run the sign-up above and provide the resulting API key. This is the normal path — most harnesses can't create an email account or click through a web sign-up. +- **Agent-driven (only if you control both an inbox and a browser).** If — and only if — this harness can drive a browser *and* read a mailbox you own (e.g. a connected email account/MCP, for any confirmation link), you may complete the sign-up yourself: navigate to the portal, register with your own email, confirm if prompted, and read the generated key from the dashboard. Never invent, guess, or reuse another party's credentials or key. + +### Using and storing the key + +Send the operator's key as `x-api-key` on every request: ```json { "Content-Type": "application/json", - "x-api-key": "NeoYO3V50_koJAipDEalYWbMO1XMaFPAQmpOm6_Npo0" + "x-api-key": "" } ``` +- Prefer a harness secret or environment variable over pasting the raw key into chat. If the harness has no secret mechanism and the operator must paste it, they must paste the key **in full, exactly as issued** — never truncated, abbreviated, or reconstructed; a partial key causes confusing auth failures. +- Never echo the API key back to the user, log it, or include it in `send_calls` parameters or any onchain calldata. +- Use one key per operator. Do not share a key across users — that re-creates the shared-key problems above (unbound terms acceptance, pooled rate limits, spam). + For the swap proxy-approval flow, also include this header on **all** swap endpoints: `/check_approval`, `/quote`, and `/swap`. ```json @@ -477,6 +501,7 @@ Apply the same thresholds to swap and LP slippage. If the user did not specify a ## Notes +- Every request needs a per-operator `x-api-key` from — there is no shared key. See `## Auth`. - Native ETH address: `0x0000000000000000000000000000000000000000` - USDC on Base: `0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913` - WETH on Base: `0x4200000000000000000000000000000000000006`