From 16bf34cdb7684c79c25193c7ddda9827cd0d6169 Mon Sep 17 00:00:00 2001 From: Alex Francisci Date: Thu, 9 Jul 2026 17:48:49 -0400 Subject: [PATCH] feat: replace hardcoded Uniswap API key with per-operator developer-portal key The plugin shipped a shared, hardcoded x-api-key. A public key lets anyone call the API without being bound to Uniswap's developer terms, and pools RPS across everyone while attracting spam. Direct each operator to generate their own free key on the Uniswap developer portal instead. - Remove the hardcoded key; use a placeholder - Rewrite ## Auth: portal sign-up flow (auto-generates a key), operator-driven (default) vs agent-driven (browser + inbox) completion paths, and key-handling rules (prefer secrets, paste in full, never echo/log or put in calldata) - Add an onboarding IMPORTANT callout and a Notes pointer to the portal - Note the API-key requirement in the SKILL.md plugin catalog row - Bump plugin version 0.2.0 -> 0.3.0 Co-Authored-By: Claude Opus 4.8 --- skills/base-mcp/SKILL.md | 2 +- skills/base-mcp/plugins/uniswap.md | 31 +++++++++++++++++++++++++++--- 2 files changed, 29 insertions(+), 4 deletions(-) diff --git a/skills/base-mcp/SKILL.md b/skills/base-mcp/SKILL.md index 6f4831f..f1cb04c 100644 --- a/skills/base-mcp/SKILL.md +++ b/skills/base-mcp/SKILL.md @@ -80,7 +80,7 @@ Plugins currently maintained alongside this skill (the **native plugins**). Use | [o1.exchange](plugins/o1-exchange.md) | Swap tokens on o1.exchange, optionally with Permit2 gasless approvals and MEV-protected routing. | Quotes, standard swaps via `send_calls`, Permit2 swaps via private relay. | Multi-chain (Base, BSC). Quotes can move and swaps are irreversible; confirm slippage and watch for low-liquidity tokens. | | [OpenSea](plugins/opensea.md) | Trade NFTs, swap tokens, or mint drops on OpenSea. | NFT buy/sell/list, token swaps, drops/minting, submit via `send_calls`. | Multi-chain (Ethereum, Base, Polygon, Arbitrum, Optimism, Avalanche). Requires an API key; trades are irreversible — confirm token, price, and slippage first. | | [Printr](plugins/printr.md) | Launch a cross-chain token on Printr. | Prepare token-creation calldata via HTTP API, submit via `send_calls`. | Multi-chain (Base, Arbitrum, Optimism, Polygon, BSC, Avalanche, Ethereum). New tokens can be illiquid; launches are irreversible. | -| [Uniswap](plugins/uniswap.md) | Swap tokens or manage Uniswap liquidity positions. | Token swaps, approval checks, V2/V3/V4 LP create/increase/decrease/collect flows. | Base only. Quotes can move; confirm slippage and token/position details before writes. | +| [Uniswap](plugins/uniswap.md) | Swap tokens or manage Uniswap liquidity positions. | Token swaps, approval checks, V2/V3/V4 LP create/increase/decrease/collect flows. | Requires a free per-operator API key from the Uniswap developer portal (see plugin `## Auth`). Quotes can move; confirm slippage and token/position details before writes. | | [Venice](plugins/venice.md) | Run private AI inference or media generation on Venice, optionally funded with x402. | Text and media inference via the Venice API, optional Base x402 wallet funding. | Base only. Requires SIWE login; inference handles personal data and paid calls are irreversible. | | [Virtuals](plugins/virtuals.md) | Create or operate Virtuals AI agents, payment cards, or agent email. | Agent management, card setup and limits, email inbox/thread actions, SIWE login. | Requires the Virtuals MCP and a signed login. Handles personal data; avoid exposing tokens, OTPs, card details, or email contents unnecessarily. | | [YO](plugins/yo.md) | View YO vaults, check positions, deposit, or request redeem on YO yield vaults. | ERC-4626 vault reads via `chain_rpc_request`, deposit, request redeem via `send_calls`. | Multi-chain (Base, Ethereum, Arbitrum). Deposits and redeems are irreversible; confirm amounts and vault before writes. | diff --git a/skills/base-mcp/plugins/uniswap.md b/skills/base-mcp/plugins/uniswap.md index 6efe665..0933ce3 100644 --- a/skills/base-mcp/plugins/uniswap.md +++ b/skills/base-mcp/plugins/uniswap.md @@ -3,7 +3,7 @@ title: "Uniswap Plugin" description: "Swap tokens and manage liquidity positions on Uniswap." tags: [dex, swap, liquidity] name: uniswap -version: 0.2.0 +version: 0.3.0 integration: http-api chains: [base] requires: @@ -20,6 +20,9 @@ risk: [slippage] > [!IMPORTANT] > Complete the short Base MCP onboarding flow defined in `SKILL.md` before calling any Uniswap endpoint. The user's wallet address — passed as `walletAddress` in every swap and LP call — is fetched lazily when needed. +> [!IMPORTANT] +> **Before calling any Uniswap endpoint, obtain an API key.** Every request needs an `x-api-key` header, and there is no shared key — each operator brings their own, generated for free on the Uniswap developer portal. See `## Auth` for the one-time setup. + ## Overview Uniswap on Base: token swaps using the proxy-approval flow (no Permit2 signing) and LP position management for V2, V3, and V4. The plugin fetches unsigned calldata from the Uniswap API, then executes transaction previews with `send_calls`. No additional MCP server is required. @@ -28,15 +31,36 @@ Uniswap on Base: token swaps using the proxy-approval flow (no Permit2 signing) ## Auth -Use these headers for all requests: +Uniswap's Trading and LP APIs require a per-operator API key, sent as the `x-api-key` header on every request. **There is no shared or hardcoded key.** Each operator brings their own key: this binds their usage to Uniswap's developer terms, keeps rate limits (RPS) scoped to them rather than shared with everyone, and avoids one public key accumulating spam traffic. + +### Obtaining a key + +Creating a free account on the Uniswap developer portal automatically generates an API key: + +1. Open . +2. Sign up — "Continue with Google", "Continue with GitHub", or "Continue with email". +3. A key is issued automatically on account creation. Copy it from the dashboard. + +Account creation can't be scripted through this plugin, so complete it one of two ways: + +- **Operator-driven (default).** Ask the operator to run the sign-up above and provide the resulting API key. This is the normal path — most harnesses can't create an email account or click through a web sign-up. +- **Agent-driven (only if you control both an inbox and a browser).** If — and only if — this harness can drive a browser *and* read a mailbox you own (e.g. a connected email account/MCP, for any confirmation link), you may complete the sign-up yourself: navigate to the portal, register with your own email, confirm if prompted, and read the generated key from the dashboard. Never invent, guess, or reuse another party's credentials or key. + +### Using and storing the key + +Send the operator's key as `x-api-key` on every request: ```json { "Content-Type": "application/json", - "x-api-key": "NeoYO3V50_koJAipDEalYWbMO1XMaFPAQmpOm6_Npo0" + "x-api-key": "" } ``` +- Prefer a harness secret or environment variable over pasting the raw key into chat. If the harness has no secret mechanism and the operator must paste it, they must paste the key **in full, exactly as issued** — never truncated, abbreviated, or reconstructed; a partial key causes confusing auth failures. +- Never echo the API key back to the user, log it, or include it in `send_calls` parameters or any onchain calldata. +- Use one key per operator. Do not share a key across users — that re-creates the shared-key problems above (unbound terms acceptance, pooled rate limits, spam). + For the swap proxy-approval flow, also include this header on **all** swap endpoints: `/check_approval`, `/quote`, and `/swap`. ```json @@ -477,6 +501,7 @@ Apply the same thresholds to swap and LP slippage. If the user did not specify a ## Notes +- Every request needs a per-operator `x-api-key` from — there is no shared key. See `## Auth`. - Native ETH address: `0x0000000000000000000000000000000000000000` - USDC on Base: `0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913` - WETH on Base: `0x4200000000000000000000000000000000000006`