Summary

Two medium-severity security concerns identified during automated code audit:

1. API Token Sent to Third-Party Pipedream Endpoint

Files: python/numbersprotocol_capture/client.py (L743-753), ts/src/client.ts (L576-583)

The SDK sends the user's Authorization: token {value} header to the NFT search endpoint hosted on Pipedream (https://eofveg1f59hrbn.m.pipedream.net). This is a third-party service that receives the full authentication token. While the connection uses HTTPS, users may not expect their Capture API token to be forwarded to external services.

Impact: If the Pipedream endpoint is compromised or logging tokens, user credentials could be exposed.

Suggested fix:

• Document clearly which external endpoints receive the token
• Consider whether the NFT search endpoint actually requires authentication, and if not, omit the token
• Alternatively, use a separate, scoped token for third-party service calls

2. No HTTP Response Body Size Limit

Files: python/numbersprotocol_capture/client.py (all _request and direct HTTP calls), ts/src/client.ts (all fetch calls)

Neither the Python SDK (using httpx.Client) nor the TypeScript SDK (using fetch) enforces a maximum response body size. A malicious or misconfigured server could return an arbitrarily large response, causing memory exhaustion in the client application.

Impact: Potential denial-of-service if an API endpoint returns an unexpectedly large payload.

Suggested fix:

• Python: Use httpx's streaming responses with a size check, or set max_content_length
• TypeScript: Read the response body in chunks and abort if size exceeds a reasonable limit (e.g., 10 MB)

Severity

Medium — no immediate exploitation risk, but reduces defense-in-depth.