@paylobster/mcp-server

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    171:   network: 'mainnet',
    172:   rpcUrl: 'https://base-rpc.publicnode.com',
>>> 173:   wallet: { privateKey: process.env.PAYLOBSTER_PRIVATE_KEY },
    174: });
    175: 

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    60:     // Merge with environment variables
    61:     const config = {
>>> 62:         network: (process.env.PAYLOBSTER_NETWORK || fileConfig.network || 'base-sepolia'),
    63:         rpcUrl: process.env.PAYLOBSTER_RPC_URL || fileConfig.rpcUrl,
    64:         contracts: fileConfig.contracts,

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    61:     const config = {
    62:         network: (process.env.PAYLOBSTER_NETWORK || fileConfig.network || 'base-sepolia'),
>>> 63:         rpcUrl: process.env.PAYLOBSTER_RPC_URL || fileConfig.rpcUrl,
    64:         contracts: fileConfig.contracts,
    65:         wallet: {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    8: exports.updateWebhook = updateWebhook;
    9: const zod_1 = require("zod");
>>> 10: const API_URL = process.env.PAYLOBSTER_API_URL || 'https://paylobster.com';
    11: exports.registerWebhookSchema = zod_1.z.object({
    12:     url: zod_1.z.string(),

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    4: exports.swapSmart = swapSmart;
    5: const zod_1 = require("zod");
>>> 6: const API_BASE = process.env.PAYLOBSTER_API_URL || 'https://paylobster.com';
    7: // Well-known tokens for symbol resolution
    8: const KNOWN_TOKENS = {

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6: exports.listPaymentLinks = listPaymentLinks;
    7: const zod_1 = require("zod");
>>> 8: const API_URL = process.env.PAYLOBSTER_API_URL || 'https://paylobster.com';
    9: exports.createPaymentLinkSchema = zod_1.z.object({
    10:     amount: zod_1.z.string(),

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6: exports.deletePriceAlert = deletePriceAlert;
    7: const zod_1 = require("zod");
>>> 8: const API_BASE = process.env.PAYLOBSTER_API_URL || 'https://paylobster.com';
    9: // ============================================================================
    10: // Create Price Alert

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    86:     if (params.amountUSD) {
    87:         // Convert USD to token amount
>>> 88:         const apiKey = process.env.ZEROX_API_KEY;
    89:         if (!apiKey)
    90:             throw new Error('ZEROX_API_KEY required for USD conversion');

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    33: });
    34: async function swapQuote(params, client) {
>>> 35:     const apiKey = process.env.ZEROX_API_KEY;
    36:     if (!apiKey) {
    37:         throw new Error('0x API key not configured (ZEROX_API_KEY)');

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    6: exports.getRefundsByEscrow = getRefundsByEscrow;
    7: const zod_1 = require("zod");
>>> 8: const API_URL = process.env.PAYLOBSTER_API_URL || 'https://paylobster.com';
    9: exports.requestRefundSchema = zod_1.z.object({
    10:     escrowId: zod_1.z.number(),

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    84: }
    85: async function swapTokens(params, client) {
>>> 86:     const apiKey = process.env.ZEROX_API_KEY;
    87:     if (!apiKey) {
    88:         throw new Error('0x API key not configured (ZEROX_API_KEY)');

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    115: }
    116: async function swapPrice(params, client) {
>>> 117:     const apiKey = process.env.ZEROX_API_KEY;
    118:     if (!apiKey) {
    119:         throw new Error('0x API key not configured (ZEROX_API_KEY)');

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    107: }
    108: async function getTokenPrice(params, client) {
>>> 109:     const apiKey = process.env.ZEROX_API_KEY;
    110:     if (!apiKey) {
    111:         throw new Error('0x API key not configured (ZEROX_API_KEY)');

Environment file access

Detected by automated pattern matching (rule DE-002) with medium confidence. May be a false positive.

    64:         contracts: fileConfig.contracts,
    65:         wallet: {
>>> 66:             privateKey: process.env.PAYLOBSTER_PRIVATE_KEY || fileConfig.wallet?.privateKey,
    67:         },
    68:     };

Decoded base64 content: ��Ok)����D���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Qy��v�r�+����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Qy��v�r�+����

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��N�s뢗�� ޱ���+

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

Decoded base64 content: ��Ok)����D���

Detected by automated pattern matching (rule DO-BAS) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    106:     }
    107:     // Call smart router
>>> 108:     const routeRes = await fetch(`${API_BASE}/api/v3/swap/route`, {
    109:         method: 'POST',
    110:         headers: { 'Content-Type': 'application/json' },

High-entropy string (4.5 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.6 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    48:     });
    49:     try {
>>> 50:         const response = await fetch(`https://api.0x.org/swap/permit2/quote?${queryParams}`, {
    51:             headers: {
    52:                 '0x-api-key': apiKey,

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    89:     }
    90:     try {
>>> 91:         const response = await fetch(`https://api.0x.org/swap/permit2/tokens?chainId=8453`, {
    92:             headers: {
    93:                 '0x-api-key': apiKey,

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    127:             sellAmount: '1000000000000000000', // 1 token (assuming 18 decimals)
    128:         });
>>> 129:         const response = await fetch(`https://api.0x.org/swap/permit2/price?${queryParams}`, {
    130:             headers: {
    131:                 '0x-api-key': apiKey,

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    32: async function registerWebhook(params) {
    33:     try {
>>> 34:         const response = await fetch(`${API_URL}/api/v3/webhooks`, {
    35:             method: 'POST',
    36:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    55:             url.searchParams.set('address', params.address);
    56:         }
>>> 57:         const response = await fetch(url.toString(), {
    58:             method: 'GET',
    59:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    77:             url.searchParams.set('includeSecret', 'true');
    78:         }
>>> 79:         const response = await fetch(url.toString(), {
    80:             method: 'GET',
    81:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    95: async function deleteWebhook(params) {
    96:     try {
>>> 97:         const response = await fetch(`${API_URL}/api/v3/webhooks/${params.id}`, {
    98:             method: 'DELETE',
    99:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    114:     try {
    115:         const { id, ...updates } = params;
>>> 116:         const response = await fetch(`${API_URL}/api/v3/webhooks/${id}`, {
    117:             method: 'PATCH',
    118:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    49:     });
    50:     try {
>>> 51:         const response = await fetch(`https://li.quest/v1/quote?${queryParams}`);
    52:         if (!response.ok) {
    53:             const errorText = await response.text();

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    85:     });
    86:     try {
>>> 87:         const response = await fetch(`https://li.quest/v1/status?${queryParams}`);
    88:         if (!response.ok) {
    89:             const errorText = await response.text();

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    99: async function bridgeChains(params, client) {
    100:     try {
>>> 101:         const response = await fetch('https://li.quest/v1/chains');
    102:         if (!response.ok) {
    103:             const errorText = await response.text();

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    23: async function createPaymentLink(params) {
    24:     try {
>>> 25:         const response = await fetch(`${API_URL}/api/v3/links`, {
    26:             method: 'POST',
    27:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    42: async function getPaymentLink(params) {
    43:     try {
>>> 44:         const response = await fetch(`${API_URL}/api/v3/links/${params.code}`, {
    45:             method: 'GET',
    46:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    60: async function listPaymentLinks(params) {
    61:     try {
>>> 62:         const response = await fetch(`${API_URL}/api/v3/links?recipient=${encodeURIComponent(params.recipient)}`, {
    63:             method: 'GET',
    64:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    119:             sellAmount: '1000000000000000000', // 1 token (18 decimals)
    120:         });
>>> 121:         const response = await fetch(`https://api.0x.org/swap/permit2/price?${queryParams}`, {
    122:             headers: {
    123:                 '0x-api-key': apiKey,

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    29:         telegramChatId: params.telegramChatId || null,
    30:     };
>>> 31:     const res = await fetch(`${API_BASE}/api/v3/alerts`, {
    32:         method: 'POST',
    33:         headers: { 'Content-Type': 'application/json' },

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    55:     const userId = client.getAccount().address;
    56:     const active = params.activeOnly ? 'true' : 'false';
>>> 57:     const res = await fetch(`${API_BASE}/api/v3/alerts?userId=${userId}&active=${active}`);
    58:     if (!res.ok) {
    59:         throw new Error('Failed to list price alerts');

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    69: async function deletePriceAlert(params, client) {
    70:     const userId = client.getAccount().address;
>>> 71:     const res = await fetch(`${API_BASE}/api/v3/alerts?id=${params.alertId}&userId=${userId}`, { method: 'DELETE' });
    72:     if (!res.ok) {
    73:         const data = await res.json().catch(() => ({}));

High-entropy string (4.7 bits/char) — possible encoded payload

Detected by automated pattern matching (rule EN-001) with medium confidence. May be a false positive.

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    20: async function requestRefund(params) {
    21:     try {
>>> 22:         const response = await fetch(`${API_URL}/api/v3/refunds`, {
    23:             method: 'POST',
    24:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    39: async function getRefund(params) {
    40:     try {
>>> 41:         const response = await fetch(`${API_URL}/api/v3/refunds?refundId=${encodeURIComponent(params.refundId)}`, {
    42:             method: 'GET',
    43:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    57: async function getRefundsByEscrow(params) {
    58:     try {
>>> 59:         const response = await fetch(`${API_URL}/api/v3/refunds?escrowId=${params.escrowId}`, {
    60:             method: 'GET',
    61:             headers: {

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    44:     catch {
    45:         // Try DexScreener search for unknown tokens
>>> 46:         const searchRes = await fetch(`${API_BASE}/api/v3/tokens/search?q=${encodeURIComponent(params.tokenIn)}`);
    47:         if (searchRes.ok) {
    48:             const searchData = await searchRes.json();

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    65:     }
    66:     catch {
>>> 67:         const searchRes = await fetch(`${API_BASE}/api/v3/tokens/search?q=${encodeURIComponent(params.tokenOut)}`);
    68:         if (searchRes.ok) {
    69:             const searchData = await searchRes.json();

JavaScript fetch() call

Detected by automated pattern matching (rule NS-003) with medium confidence. May be a false positive.

    89:         if (!apiKey)
    90:             throw new Error('ZEROX_API_KEY required for USD conversion');
>>> 91:         const priceRes = await fetch(`https://api.0x.org/swap/permit2/price?chainId=8453&sellToken=${fromToken.address}&buyToken=0x833589fCD6eDb6E08f4c7C32D4f71b54bdA02913&sellAmount=${BigInt(10 ** fromToken.decimals).toString()}`, { headers: { '0x-api-key': apiKey, '0x-version': 'v2' } });
    92:         if (!priceRes.ok)
    93:             throw new Error('Failed to get price for USD conversion');