moonfun_sdk

Python SDK for BSC enabling creation of AI-generated Meme tokens with stable minting and experimental token trading (buy/sell) features.

This package implements its stated features, but review and caution are required before using with real funds or your primary wallet. Actionable steps: - Do not use your main wallet; create a dedicated disposable wallet with a small BNB balance for testing. - Expect to set PRIVATE_KEY (environment variable or parameter) — the registry metadata omitted this; confirm required envs before installing. - Replace the default image API URL (http://moonfun.site) with an HTTPS endpoint or self-host the image API to avoid sending signatures and addresses over plaintext HTTP. If you must use the default, inspect network traffic (mitmproxy) and be aware signatures could be observed/replayed within their time window. - Note auth.py exposes a .private_key property. If you or other code call that, the raw key becomes accessible in-process — avoid calling it and consider modifying the SDK to remove that accessor before use. - Audit the code paths that transmit data (image_api.py, platform.py) to confirm only signatures and addresses are sent and that timestamps/replay-windows match your threat model. - Prefer installing from reviewed source (pip install -e .) after inspecting the files, and run dependency scanners (safety, bandit). Start with minimal BNB and small test transactions. If you want, I can point out the exact lines that implement the .private_key accessor and the default HTTP endpoint and suggest minimal code changes (e.g., remove the accessor, require HTTPS) to reduce risk.

Type: OpenClaw Skill Name: moonfunsdk Version: 1.0.6 The skill bundle is classified as suspicious due to a significant vulnerability: the image generation API (`http://moonfun.site`) uses unencrypted HTTP for transmitting sensitive data, including the user's wallet address, cryptographic signature, and AI prompt. While the private key itself is explicitly stated and appears to be handled locally for signing, the use of HTTP exposes these critical pieces of information to potential Man-in-the-Middle (MITM) attacks, allowing interception of user identity and authentication tokens. This vulnerability is present in `python/moonfun_sdk/image_api.py` and the default configuration in `python/moonfun_sdk/client.py` and `python/moonfun_sdk/constants.py`. The extensive documentation and explicit security claims, including instructions for auditing private key handling, suggest an intent for transparency rather than malice, but the unencrypted communication of sensitive data constitutes a critical flaw.