opensea

The script is not itself obfuscated or explicitly malicious, but it dangerously delegates construction of executable on-chain transaction payloads to an external service (mcporter/OpenSea MCP) and then uses the user's PRIVATE_KEY to sign and broadcast that payload without validation. This creates a high-risk supply-chain/trust vulnerability: a compromised or malicious quote provider can cause complete loss of funds. Treat the script as an unsafe convenience tool unless additional safeguards are implemented (txData validation, confirmations, use of a low-privilege key or remote signer).

The OpenSea integration footprint is broadly coherent with its stated purpose and includes expected API and MCP-based operations. However, the presence of wallet private-key generation and printing in the examples is a serious misalignment with secure usage norms and creates a non-trivial risk of credential leakage. This pattern elevates the overall risk profile and warrants remediation: remove any private key generation/printing examples, enforce secure key management, require users to import existing keys or use hardware wallets, and avoid echoing secrets in logs or outputs. Otherwise, the rest of the toolchain (CLI/SDK/script usage) is reasonable for legitimate OpenSea-centric workflows.