Lines 1-39javascript
2// TapMarket MCP server — lets any MCP client (Claude, OpenClaw, etc.) hire paid
3// specialists on TapMarket. Crypto hidden; charges and limits always visible.
4import { Server } from "@modelcontextprotocol/sdk/server/index.js";
5import { StdioServerTransport } from "@modelcontextprotocol/sdk/server/stdio.js";
6import { CallToolRequestSchema, ListToolsRequestSchema } from "@modelcontextprotocol/sdk/types.js";
7import { createPublicClient, http, parseAbi, encodeFunctionData, formatUnits } from "viem";
8import { baseSepolia } from "viem/chains";
9import { createKernelAccountClient } from "@zerodev/sdk";
10import { KERNEL_V3_1, getEntryPoint } from "@zerodev/sdk/constants";
11import { deserializePermissionAccount } from "@zerodev/permissions";
12import { config } from "dotenv";
13import { appendFileSync } from "fs";
14import { homedir } from "os";
15import { join } from "path";
16import { CATALOG } from "./catalog.js";
17import { ZERODEV_RPC as ZRPC } from "./init-lib.js";
18import { readFileSync, existsSync } from "fs";
20const WALLET_FILE = process.env.TAPMARKET_WALLET ?? new URL("./wallet.json", import.meta.url).pathname;
21if (!existsSync(WALLET_FILE)) {
22 console.error("No wallet found. Run: npx tapmarket-connect setup");
25const wallet = JSON.parse(readFileSync(WALLET_FILE, "utf8"));
27config({ path: new URL("../.env.local", import.meta.url).pathname, quiet: true });
29const TAP_MARKET = "0xBfd085f192d2246F1BFBe386DF399335dc894f2c";
30const USDC = "0x036CbD53842c5426634e7929541eC2318f3dCF7e";
31const ZERODEV_RPC = ZRPC;
32// routes now come from catalog entries (endpoint + shape)
34const marketAbi = parseAbi(["function buyPack(uint256 listingId, uint256 numUses, uint64 capPerPeriod)", "function escrows(uint256,address) view returns (uint256 balance, uint256 usesPurchased, uint256 usesSettled, uint64 capPerPeriod, uint64 periodStart, uint64 usedThisPeriod, uint64 purchaseTime)"]);
35const usdcAbi = parseAbi(["function approve(address,uint256)", "function balanceOf(address) view returns (uint256)"]);
36const publicClient = createPublicClient({ chain: baseSepolia, transport: http("https://sepolia.base.org") });
37const account = await deserializePermissionAccount(
CriticalCredential Exfiltration
Source appears to send environment or credential material to an external endpoint.
server.jsView on unpkg · L19 CriticalTrigger Reachable Dangerous Capability
A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.
server.jsView on unpkg · L19 38 publicClient, getEntryPoint("0.7"), KERNEL_V3_1, wallet.sessionApproval