Skip to content

Add security warnings for PRIVATE_KEY handling#32

Open
mefai-dev wants to merge 1 commit intobnb-chain:mainfrom
mefai-dev:fix/private-key-security-warning
Open

Add security warnings for PRIVATE_KEY handling#32
mefai-dev wants to merge 1 commit intobnb-chain:mainfrom
mefai-dev:fix/private-key-security-warning

Conversation

@mefai-dev
Copy link

@mefai-dev mefai-dev commented Mar 13, 2026

The config example shows PRIVATE_KEY in a JSON file with no warning about version control exposure. Added .gitignore recommendation and guidance to prefer env vars over direct parameter passing.

@hashdit-bot
Copy link

hashdit-bot bot commented Mar 13, 2026

Pull Request Review

This PR updates skills/bnbchain-mcp-skill/SKILL.md to strengthen guidance around PRIVATE_KEY handling in MCP configuration and tool usage. It adds an explicit security warning about not committing config files containing keys and recommends using .gitignore plus environment variables for production key management. It also clarifies that passing private keys directly as tool parameters is riskier because keys can appear in tool call payloads.

Sensitive Content

No sensitive content detected.

Security Issues

No serious security issues detected.

Generated by Hashdit Bot. This tool can absolutely NOT replace manual audits.

@mefai-dev
Add security warnings for PRIVATE_KEY handling
1e0ef6f 
## Summary
- Config example shows PRIVATE_KEY in a JSON file with no security guidance
- Added .gitignore recommendation and env var preference to prevent key exposure

## Type of Change
- [x] Security improvement

## Changes Made
- Added warning after config example: "Add MCP config to .gitignore. Never commit PRIVATE_KEY to version control."
- Added guidance to prefer env vars over direct parameter passing for key safety

## Testing
- [x] Warning follows security best practices
@mefai-dev mefai-dev force-pushed the fix/private-key-security-warning branch from 3001e9f to 1e0ef6f Compare March 13, 2026 23:47
@hashdit-bot
Copy link

hashdit-bot bot commented Mar 13, 2026

Pull Request Review

This PR updates the bnbchain-mcp skill documentation to strengthen private key handling guidance. It adds an explicit security warning near the MCP config example about not committing PRIVATE_KEY-containing config files and recommends .gitignore usage. It also clarifies best practices to prefer environment-variable-based key injection over passing private keys directly as tool parameters due to payload exposure risk.

Sensitive Content

No sensitive content detected.

Security Issues

No serious security issues detected.

Generated by Hashdit Bot. This tool can absolutely NOT replace manual audits.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mefai-dev