RustChain MCP

Access RustChain blockchain wallets and tokens, BoTTube AI video platform features, and Beacon agent communication tools via a unified MCP server.

This package implements the RustChain/BoTTube/Beacon tools described, but several things deserve caution before installing: - Verify provenance: SKILL metadata lists 'source: unknown' though files reference a GitHub repo and PyPI. Confirm the PyPI package and GitHub repository match the code here. - Secrets and env vars: The code uses environment variables (RUSTCHAIN_NODE, BOTTUBE_URL, BEACON_URL) and optional API keys (BOTTUBE_API_KEY, MOLTBOOK_API_KEY). The skill did not declare these as required—only provide API keys if you trust the maintainer and the endpoints. - TLS verification disabled: The code sets verify=False for httpx/requests, which bypasses TLS cert checks. This makes network traffic vulnerable to man-in-the-middle attacks and increases risk if you provide credentials. - Automated network behavior: evangelist_agent.py will discover agents, post onboarding content, and send Beacon pings (offers/tips). That behavior is potentially spammy and will produce outbound network traffic—run it only in an isolated environment and after reviewing what it posts/whom it contacts. - Default node/IP: The default RUSTCHAIN_NODE is a raw IP (50.28.86.131). Confirm that is an intended and trusted node; consider overriding to a known, vetted node URL. If you plan to use this skill: - Inspect the published PyPI package contents and upstream GitHub repo to ensure they match. - Run in an isolated environment (container/VM) first. - Never supply API keys or secrets until you confirm trust; if you must, consider scoped, low-privilege keys and monitor their use. - Consider patching the code to enable TLS verification (remove verify=False) before supplying secrets or using in production. If you want, I can list the exact lines where verify=False is set, show the env vars the code reads, or help craft safer environment overrides.

Type: OpenClaw Skill Name: rustchain-mcp Version: 0.3.0 The skill bundle provides tools for interacting with the RustChain blockchain and BoTTube video platform, but it contains significant security vulnerabilities. Specifically, rustchain_mcp/server.py, rustchain_langchain/tools.py, and evangelist_agent.py all disable SSL certificate verification (verify=False) for HTTP requests to external endpoints, including a hardcoded IP address (50.28.86.131), which facilitates Man-in-the-Middle (MitM) attacks. Additionally, evangelist_agent.py is designed to autonomously discover and 'ping' other agents on the Beacon network to promote the service, which constitutes automated spamming behavior.