fix: address password security review for x402_fetch

Intellihackz · Intellihackz · commit 82fbfa3e6235 · 2026-06-24T06:45:53.000+01:00
diff --git a/src/mcp/server.ts b/src/mcp/server.ts
@@ -997,7 +997,7 @@ server.tool(
   'and retrying the request. IMPORTANT: Real on-chain payment with real funds.',
   {
     address: injAddress.describe('The inj1... address of your trading wallet.'),
-    password: z.string().describe('Keystore password to decrypt the private key for signing.'),
+    password: z.string().describe('Keystore password to decrypt the private key for signing. SECURITY: Never log, store, or echo this. Use secret inputs only.'),
     url: z.string().url().describe('The URL of the x402-gated API endpoint.'),
   },
   async ({ address, password, url }) => {

Original file line number	Diff line number	Diff line change
`@@ -997,7 +997,7 @@ server.tool(`
`997`	`997`	`'and retrying the request. IMPORTANT: Real on-chain payment with real funds.',`
`998`	`998`	`{`
`999`	`999`	`address: injAddress.describe('The inj1... address of your trading wallet.'),`
`1000`		`- password: z.string().describe('Keystore password to decrypt the private key for signing.'),`
	`1000`	`+ password: z.string().describe('Keystore password to decrypt the private key for signing. SECURITY: Never log, store, or echo this. Use secret inputs only.'),`
`1001`	`1001`	`url: z.string().url().describe('The URL of the x402-gated API endpoint.'),`
`1002`	`1002`	`},`
`1003`	`1003`	`async ({ address, password, url }) => {`