mcp-base-mcp

The server handles highly sensitive information including Coinbase API keys (Key Name and Private Key) and a wallet seed phrase. The `base-mcp --init` command writes these credentials in plaintext to local client configuration files (e.g., `claude_desktop_config.json` for Claude Desktop, `mcp.json` for Cursor) or directly into the `.env` file. This storage method poses a significant risk if the user's local machine or these configuration files are compromised, as it could lead to unauthorized access and control over financial assets. While the code itself does not contain obvious malicious patterns or arbitrary code execution vulnerabilities like `eval`, it performs direct `sendTransaction` calls based on AI-generated requests, which can lead to irreversible financial operations. Users must exercise extreme caution and maintain strong local machine security. The server also integrates with several third-party APIs (Alchemy, OpenRouter, Neynar, Morpho GraphQL), inheriting their respective security postures.