Update mcp server by jizhen181-dot · Pull Request #36 · BofAI/docs

jizhen181-dot · 2026-03-20T13:10:53Z

No description provided.

Ai bankofai patch 1

fix

github-actions · 2026-03-21T19:27:40Z

Code Review Report

Project: x402-tron / bankofai docs
PR: main → update-mcp-server
Review Date: 2026-03-21
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	19
Files Changed	31
Lines Added	+3,767
Lines Removed	-167

Commit History

Hash	Message
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update
`1ebd798`	Merge branch 'main' into update-mcp-server
`822bdae`	fix
`224d32d`	fiix
`3b87508`	fix
`824c0d7`	fix
`17c1057`	fix
`47b8030`	fxi
`7fe32d7`	Merge pull request #28 from BofAI/ai-bankofai-patch-1
`2e02cab`	fix
`5dfcb8a`	fix
`a541e97`	fix
`956060e`	fix
`e5f417e`	fix
`fb1737f`	Merge pull request #26 from BofAI/ai-bankofai-patch-1
`24cf00e`	fix

Review Summary

Verdict

Verdict: Request Changes

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	2	4	3

Summary

This PR adds a substantial new documentation section covering the Agent-Wallet product — a local encrypted signing tool for AI agents operating on TRON and EVM-compatible blockchains. The additions include a full English and Chinese documentation suite: an introduction, quick-start guide, CLI reference, SDK guide with TypeScript/Python examples, and an FAQ. Existing MCP Server documentation (TRON and SUN) is refactored to link out to the new Agent-Wallet docs rather than duplicating setup instructions — a clear improvement in information architecture. The CI workflow is updated for this branch and the package version is bumped to 1.2.4.

Overall the documentation quality is high: content is well-structured, security trade-offs are explained honestly, and the dual-language parity (EN + zh-Hans) is consistently maintained. Two substantive security concerns require fixes before merge: the QuickStart password-injection guide inadvertently stores the master password in shell history, and the CI debug step leaks the Docker Hub username into public workflow logs. Several minor issues around code-example robustness, link targets, and commit-message hygiene are also noted.

Change Summary

1. New Agent-Wallet Documentation (English)

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Product overview, threat model, security comparison table
`docs/Agent-Wallet/QuickStart.md`	Added	3-step user-facing quick start (install → set password → test in OpenClaw)
`docs/Agent-Wallet/FAQ.md`	Added	215-line FAQ covering security, UX, cross-language, and OpenClaw integration
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Full CLI command reference including non-interactive modes and dangerous operations
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript & Python SDK integration guide with provider/wallet/signing examples
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end TRON transfer, EVM (BSC) transfer, and x402 PaymentPermit examples

Purpose: Introduces a fully self-contained developer documentation hub for Agent-Wallet.

2. New Agent-Wallet Documentation (Chinese / zh-Hans)

File	Change Type	Description
`i18n/zh-Hans/...current/Agent-Wallet/Intro.md`	Added	Chinese translation of Intro
`i18n/zh-Hans/...current/Agent-Wallet/QuickStart.md`	Added	Chinese translation of QuickStart
`i18n/zh-Hans/...current/Agent-Wallet/FAQ.md`	Added	Chinese translation of FAQ
`i18n/zh-Hans/...current/Agent-Wallet/Developer/CLI-Reference.md`	Added	Chinese translation of CLI Reference
`i18n/zh-Hans/...current/Agent-Wallet/Developer/SDK-Guide.md`	Added	Chinese translation of SDK Guide
`i18n/zh-Hans/...current/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	Chinese translation of SDK Cookbook
`i18n/zh-Hans/.../current.json`	Modified	Added `"Developer"` → `"开发者"` sidebar category translation

Purpose: Full Chinese-language parity for all new Agent-Wallet documentation.

3. MCP Server Documentation Refactor

File	Change Type	Description
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Replaced inline wallet setup steps with links to Agent-Wallet docs
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Deduplicates Agent Wallet install steps; adds multi-wallet note; fixes password quoting
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Replaced inline wallet troubleshooting steps with links to Agent-Wallet docs
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Same refactor as SUN server; fixes password quoting
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Adds hyperlinks to Agent-Wallet docs on `list_wallets`/`select_wallet` rows
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Converts plain "Agent Wallet" mention to hyperlink
`docs/Openclaw-extension/Intro.md`	Modified	Makes `bankofai-recharge` a clickable hyperlink
(Chinese i18n equivalents of all above)	Modified	Identical refactor applied to zh-Hans translations

Purpose: Eliminate documentation duplication; centralize Agent-Wallet knowledge; correct password-quoting bug (double-quotes → single-quotes for AGENT_WALLET_PASSWORD).

4. Configuration & CI Changes

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Branch trigger updated from `ai-bankofai-patch-1` → `update-mcp-server`
`sidebars.js`	Modified	Added `Agent Wallet` section with `Developer` sub-category
`i18n/zh-Hans/.../current/sidebars.js`	Modified	Same sidebar additions in Chinese locale
`package.json`	Modified	Version bump `1.2.3` → `1.2.4`

Detailed Findings

Major

[MJ-01] Shell History Exposes Master Password When Following QuickStart Instructions

Property	Value
Severity	Major
Category	Security
File	`docs/Agent-Wallet/QuickStart.md` : Lines 1810–1835; `i18n/zh-Hans/.../Agent-Wallet/QuickStart.md` : Lines 1-195

Description

The QuickStart guide (English and Chinese) instructs users to persist their master password by running:

echo "export AGENT_WALLET_PASSWORD='your-master-password'" >> ~/.zshrc

This echo command — including the actual master password the user substitutes in — is recorded verbatim in the shell's command history file (.zsh_history / .bash_history). Agent-wallet's own documentation elsewhere explicitly warns that the master password alone does not compromise funds (the encrypted keystore file is also required); however, shell history files are routinely collected by security scanners, backup tools, AI coding assistants (the very tools Agent-Wallet is designed to protect against), and dot-file sync tools.

The irony is significant: the documentation warns about environment variable scanning and AI assistants reading project directories, yet the recommended setup procedure places the password in one of the most commonly-read plaintext files on the system.

Code

# QuickStart.md - Step 2, Mac tab
echo "export AGENT_WALLET_PASSWORD='your-master-password'" >> ~/.zshrc

# QuickStart.md - Step 2, Windows/Linux tab
echo "export AGENT_WALLET_PASSWORD='your-master-password'" >> ~/.bashrc

Recommendation

Replace the echo approach with a cat heredoc or direct editor guidance that avoids recording the password in history. Alternatively, add a HISTIGNORE/HISTCONTROL advisory immediately before the command:

# Option A: suppress this command from history (prepend a space — works in zsh/bash with HISTCONTROL=ignorespace)
 echo "export AGENT_WALLET_PASSWORD='your-master-password'" >> ~/.zshrc

# Option B: edit the file directly (no history exposure)
# Open ~/.zshrc in your editor and add the line manually:
#   export AGENT_WALLET_PASSWORD='your-master-password'

Add a caution admonition:

:::caution This command will appear in your shell history
After running the command above, optionally delete it from history:
- **zsh**: `history -d $(history 1 | awk '{print $1}')`
- **bash**: `history -d $(history | tail -1 | awk '{print $1}')`

Or edit `~/.zshrc` / `~/.bashrc` directly with a text editor to avoid the issue entirely.
:::

[MJ-02] CI Debug Step Leaks Docker Hub Username to Public Workflow Logs

Property	Value
Severity	Major
Category	Security
File	`.github/workflows/docker.yml` : Lines 30–36

Description

The updated workflow retains a debug step that prints the Docker Hub username directly to GitHub Actions log output:

- name: Debug Docker Hub secrets
  if: github.event_name != 'pull_request'
  ...
  run: |
    echo "username=[$DOCKERHUB_USERNAME]"
    echo "token_length=${#DOCKERHUB_TOKEN}"

This step runs on every push to main, master, or update-mcp-server. GitHub Actions logs for public repositories are publicly readable. Even for private repositories, logs are visible to all repository collaborators. Printing the Docker Hub username into logs (a) exposes an account identifier that could be used in phishing or credential-stuffing attacks targeting that DockerHub account, and (b) signals the existence and name of the account to any observer.

The token length (${#DOCKERHUB_TOKEN}) is less sensitive but still reduces the search space for a brute-force attempt.

Code

- name: Debug Docker Hub secrets
  if: github.event_name != 'pull_request'
  env:
    DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }}
    DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
  run: |
    echo "username=[$DOCKERHUB_USERNAME]"      # ← exposes account name in logs
    echo "token_length=${#DOCKERHUB_TOKEN}"

Recommendation

Remove this debug step entirely before merging. It was likely useful during initial setup but has no place in a merged workflow:

# DELETE the entire "Debug Docker Hub secrets" step

If debugging is needed in future, use GitHub's secret masking feature and avoid echoing any secret-derived values.

Minor

[MN-01] TypeScript EVM Example Uses Non-Null Assertion on Potentially Null `feeData` Fields

Property	Value
Severity	Minor
Category	Correctness
File	`docs/Agent-Wallet/Developer/SDK-Cookbook.md` : Lines 539–551; Chinese equivalent

Description

The BSC/EVM transfer example uses the TypeScript non-null assertion operator (!) on feeData.maxFeePerGas and feeData.maxPriorityFeePerGas. These fields are typed as bigint | null in ethers.js because not all chains support EIP-1559. On legacy chains (or chains where the RPC doesn't advertise EIP-1559 fee data), these will be null, and the ! assertion will silently pass TypeScript's type checker while causing a runtime crash when the unsigned transaction is constructed.

Since the documentation is explicitly aimed at developers copying these examples into production environments, the example should model correct null-handling.

Code

const feeData = await rpcProvider.getFeeData();

const unsignedTx = {
  ...
  maxFeePerGas: feeData.maxFeePerGas!,          // ← could be null → runtime crash
  maxPriorityFeePerGas: feeData.maxPriorityFeePerGas!,  // ← same issue
  ...
};

Recommendation

Add an explicit null-check before building the transaction:

const feeData = await rpcProvider.getFeeData();

if (!feeData.maxFeePerGas || !feeData.maxPriorityFeePerGas) {
  throw new Error("Chain does not support EIP-1559 fee data");
}

const unsignedTx = {
  ...
  maxFeePerGas: feeData.maxFeePerGas,
  maxPriorityFeePerGas: feeData.maxPriorityFeePerGas,
  ...
};

[MN-02] `bankofai-recharge` Table Link Points to a Live MCP Endpoint, Not a Documentation Page

Property	Value
Severity	Minor
Category	Documentation / UX
File	`docs/Openclaw-extension/Intro.md` : Line 2106; `i18n/zh-Hans/.../Openclaw-extension/Intro.md` : Line 4206

Description

The PR converts the plain text bankofai-recharge entry in the MCP server table into a hyperlink:

| **[bankofai-recharge](https://recharge.bankofai.io/mcp)** | BANK OF AI (Remote) | ... |

The target URL (https://recharge.bankofai.io/mcp) is the live MCP SSE/HTTP endpoint itself, not a documentation or landing page. Clicking this link in a browser will present raw Server-Sent Events or JSON (depending on the server implementation), which is confusing for documentation readers. The other two entries in the same table link to GitHub repository pages — human-readable pages with READMEs.

Recommendation

Link to a documentation page or GitHub repo instead of the raw endpoint:

| **[bankofai-recharge](https://github.com/BofAI/bankofai-recharge)** | BANK OF AI (Remote) | Remote recharge MCP — top up your BANK OF AI account via on-chain USDT. Default endpoint: `https://recharge.bankofai.io/mcp` |

If no documentation page exists yet, keep the name unlinked (as it was before) and only show the endpoint URL in the description column.

[MN-03] Feature Branch Trigger Retained in Docker CI Workflow May Persist After Merge

Property	Value
Severity	Minor
Category	Compatibility / CI
File	`.github/workflows/docker.yml` : Lines 6–18

Description

The PR changes the Docker CI push/pull_request trigger from ai-bankofai-patch-1 to update-mcp-server. Both are feature branch names. After this PR is merged to main, the main branch copy of docker.yml will contain update-mcp-server as a branch trigger. Pushes to update-mcp-server will then continue to trigger CI builds even after the PR is merged and the branch is no longer active. This is a minor operational annoyance and could lead to unexpected image builds if the branch is reused.

Code

on:
  push:
    branches:
      - main
      - master
      - update-mcp-server    # ← feature branch name, will remain after merge
  pull_request:
    branches:
      - main
      - master
      - update-mcp-server    # ← same

Recommendation

Remove the feature branch entry before merging, restoring the workflow to the standard main / master triggers (or, if there are legitimate reasons to keep feature branch CI, document them and use a pattern like feature/**):

on:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
  workflow_dispatch:

[MN-04] Inconsistent Commit Message Quality Makes Change History Hard to Navigate

Property	Value
Severity	Minor
Category	Code Quality / Maintainability
File	Git history

Description

The majority of commits in this PR use non-descriptive messages: fix, fiix, fxi, update, update agent-wallet. With 19 commits introducing ~3,800 lines of documentation changes, the git history provides no meaningful information about what was changed or why. This makes bisecting, reverting, and reviewing individual changes significantly harder, especially for a documentation project where the "what changed" information is the primary value of the commit log.

Commit examples:

a956313 update
822bdae fix
224d32d fiix      ← typo
3b87508 fix
47b8030 fxi       ← typo

Recommendation

Consider squashing the PR into logical commits with descriptive messages before merge:

docs: add Agent-Wallet documentation (EN + zh-Hans)
docs: refactor MCP Server docs to reference Agent-Wallet
ci: update docker.yml branch trigger for update-mcp-server
feat: bump version to 1.2.4 and update sidebar navigation

Suggestions

[S-01] Add Guidance to Prevent Shell History Exposure via HISTIGNORE

File: docs/Agent-Wallet/QuickStart.md, docs/Agent-Wallet/Developer/CLI-Reference.md
Description: The CLI Reference documents export AGENT_WALLET_PASSWORD='...' as the recommended setup pattern. Adding a note about using HISTIGNORE or HISTCONTROL=ignorespace (space-prefixed commands are not saved to history in most shells) would help security-conscious users avoid history exposure without changing the core UX flow.
Suggestion: Add a tip admonition: "To avoid recording this command in shell history, prefix it with a single space (requires HISTCONTROL=ignorespace or HISTIGNORE='*' in your shell config), or edit the rc file directly in a text editor."

[S-02] Document File Permissions for `runtime_secrets.json`

File: docs/Agent-Wallet/Developer/CLI-Reference.md : Lines 162–168 (Method B: Local Password Cache)
Description: The --save-runtime-secrets flag caches the master password in ~/.agent-wallet/runtime_secrets.json. The documentation does not mention that this file's permissions should be restricted (ideally 600 / user-read-only). If the ~/.agent-wallet/ directory is world-readable (e.g., on misconfigured multi-user systems), the cached password would be accessible to other local users — undermining the two-factor protection the tool is designed to provide.
Suggestion: Add a security note: "The cached password file at ~/.agent-wallet/runtime_secrets.json should have restrictive permissions (chmod 600). The tool sets this automatically on creation, but verify after any manual file operations."

[S-03] Consider Adding GitHub Actions Secret Usage Example for CI/CD Workflows

File: docs/Agent-Wallet/Developer/CLI-Reference.md (Non-Interactive Execution section)
Description: The CLI Reference describes "Method A: Environment Variable Injection (Recommended for AI Agents / CI Pipelines)" and shows a bare export AGENT_WALLET_PASSWORD=... command. In a GitHub Actions or GitLab CI context, the correct pattern is to use repository secrets (${{ secrets.AGENT_WALLET_PASSWORD }}), not shell exports. A small CI-context example would help developers avoid accidentally hardcoding the password in workflow YAML files.
Suggestion: Add a collapsible "GitHub Actions example" block in the CI section of the CLI Reference showing the proper env: / secrets: pattern for workflow files.

Positive Observations

Area	Observation
Security messaging	The Intro and FAQ clearly and honestly explain the threat model, limitations, and the "password alone ≠ stolen funds" design — rare for product documentation
Password quoting fix	Both TRON and SUN deployment docs correctly update from `"<password>"` (double-quotes, allows shell expansion) to `'<password>'` (single-quotes, prevents expansion) — a real security improvement
Bad advice removal	The old SUN MCP Server FAQ advised "Avoid special characters, use alphanumeric combination" for passwords — terrible security guidance. The new text removes this entirely
Documentation consolidation	Replacing duplicated wallet setup steps across TRON and SUN FAQ/deployment docs with links to the central Agent-Wallet docs is an excellent DRY improvement
Dual-language parity	All 6 new documentation files have complete, high-quality Chinese translations. The i18n sidebar and JSON translations are also kept in sync
Code example completeness	The SDK Cookbook provides truly end-to-end runnable scripts (build → sign → broadcast) for both TRON and EVM chains, in both TypeScript and Python — unusually thorough
Dangerous operations section	The CLI Reference explicitly marks `reset` and `change-password` with `:::danger` admonitions, matching the severity of those operations
Non-interactive documentation	The three-method non-interactive execution guide (env var / cache / inline) is well-categorized with appropriate warnings for each method's security implications
Error type hierarchy	The SDK Guide documents the full exception class hierarchy, enabling developers to write correct error-handling code

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	6	5	1	0	TypeScript null assertion on `feeData` [MN-01]
Security	8	6	2	0	Shell history [MJ-01]; CI debug leak [MJ-02]
Performance	7	0	0	7	Documentation-only PR
Code Quality	6	4	2	0	Commit message quality [MN-04]; endpoint link [MN-02]
Testing	7	0	0	7	Documentation-only PR
Documentation	6	5	1	0	`runtime_secrets.json` permissions undocumented [S-02]
Compatibility	5	4	1	0	Feature branch CI trigger retained [MN-03]
Observability	4	0	0	4	Not applicable to documentation changes

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between main and update-mcp-server. Runtime behavior, integration testing, and deployment impact are not covered. SDK behavioral correctness (e.g., actual return formats of signTransaction) could not be verified without the SDK source code.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-21

github-actions · 2026-03-21T19:33:00Z

PR Audit Report

Date: 2026-03-21
Repository: BofAI/docs
PR: main → update-mcp-server
Auditor: Claude Code (claude-sonnet-4-6)

PR Overview

Field	Detail
Source Branch	`update-mcp-server` (remote: `origin/update-mcp-server`)
Target Branch	`main` (remote: `origin/main`)
Total Commits	20 commits
Files Changed	31 files
Lines Added	+3,767
Lines Removed	-167

Commit Summary (most recent first)

bc4a8f0 fix
e88dbfc update agent-wallet
a956313 update
57d7156 Create audit-pr.yml
6728342 update
1ebd798 Merge branch 'main' into update-mcp-server
822bdae fix
224d32d fiix
3b87508 fix
824c0d7 fix
17c1057 fix
47b8030 fxi
7fe32d7 Merge pull request #28 from BofAI/ai-bankofai-patch-1
2e02cab fix
5dfcb8a fix
a541e97 fix
956060e fix
e5f417e fix
fb1737f Merge pull request #26 from BofAI/ai-bankofai-patch-1
24cf00e fix

Note: All commit messages are generic ("fix", "update", "fiix") with no meaningful descriptions — see Findings section.

Files Changed (Grouped)

New Documentation — Agent-Wallet section (English):

docs/Agent-Wallet/Intro.md (+156 lines)
docs/Agent-Wallet/QuickStart.md (+195 lines)
docs/Agent-Wallet/FAQ.md (+215 lines)
docs/Agent-Wallet/Developer/CLI-Reference.md (+222 lines)
docs/Agent-Wallet/Developer/SDK-Guide.md (+531 lines)
docs/Agent-Wallet/Developer/SDK-Cookbook.md (+522 lines)

New Documentation — Agent-Wallet section (Simplified Chinese i18n):

i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/Intro.md (+155 lines)
i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/QuickStart.md (+195 lines)
i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/FAQ.md (+215 lines)
i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/Developer/CLI-Reference.md (+221 lines)
i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/Developer/SDK-Guide.md (+531 lines)
i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/Developer/SDK-Cookbook.md (+522 lines)

Modified Documentation — MCP Server references (English + Chinese i18n):

docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md
docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md
docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md
docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md
docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md
docs/McpServer-Skills/SKILLS/Faq.md
docs/Openclaw-extension/Intro.md
(Chinese i18n mirrors of each of the above)

Navigation & Configuration:

sidebars.js (+20 lines — new Agent Wallet sidebar category)
i18n/zh-Hans/docusaurus-plugin-content-docs/current/sidebars.js (+20 lines)
i18n/zh-Hans/docusaurus-plugin-content-docs/current.json (+4 lines — "Developer" label translation)

CI/CD:

.github/workflows/docker.yml (4 lines changed — branch name update)

Package:

package.json (version bump: 1.2.3 → 1.2.4)

Change Summary

1. New Agent-Wallet Documentation Suite

The dominant change in this PR is the addition of a complete, multi-page documentation section for the agent-wallet tool. This covers:

Introduction (Intro.md): Security motivation, dual-lock model, comparison table.
Quick Start (QuickStart.md): Node.js setup, CLI install, wallet creation, password persistence, AI integration test.
CLI Reference (CLI-Reference.md): Full command reference including signing, wallet management, non-interactive execution patterns, and dangerous operations.
SDK Guide (SDK-Guide.md): TypeScript and Python SDK integration with tabs, environment variable reference table, multiple signing examples, multi-wallet management, and error handling.
SDK Cookbook (SDK-Cookbook.md): Three end-to-end runnable code examples: TRON transfer, EVM (BSC) transfer, x402 PaymentPermit signing.
FAQ (FAQ.md): Security, everyday use, wallet types, network parameters, installation troubleshooting, cross-language compatibility, OpenClaw integration.

Both English and Chinese Simplified (zh-Hans) versions are provided in parallel.

2. MCP Server Docs — Agent-Wallet Cross-linking

Existing SUN MCP Server and TRON MCP Server documentation has been updated to:

Replace inline installation instructions for agent-wallet (which duplicated content and linked to a stale GitHub README) with links to the new official Agent-Wallet documentation.
Consolidate troubleshooting steps by pointing to the canonical Quick Start and FAQ pages.
Fix the export AGENT_WALLET_PASSWORD example from double quotes to single quotes to avoid shell expansion of special characters.

3. Sidebar Navigation

sidebars.js (and its zh-Hans mirror) gains a new top-level "Agent Wallet" category with Intro, QuickStart, a Developer subcategory (CLI-Reference, SDK-Guide, SDK-Cookbook), and FAQ. The i18n current.json adds a "Developer" → "开发者" translation entry.

4. CI/CD Branch Reference Update

.github/workflows/docker.yml replaces the ai-bankofai-patch-1 branch trigger with update-mcp-server in both push and pull_request triggers, keeping the workflow relevant to the current development branch.

5. Package Version Bump

package.json version: 1.2.3 → 1.2.4.

6. Openclaw Intro Link Fix

docs/Openclaw-extension/Intro.md: the bankofai-recharge entry was a plain text name; it now correctly links to https://recharge.bankofai.io/mcp.

Detailed Findings

Security Findings

FINDING-001 — `--save-runtime-secrets` Missing Security Warning

Severity: Major
File: docs/Agent-Wallet/Developer/CLI-Reference.md, lines 136–142

Code Evidence:

### Method B: Local Password Cache (True "Set and Forget")

The ultimate convenience solution. After running a command once with the `--save-runtime-secrets` flag,
the password is permanently cached in a local file (`~/.agent-wallet/runtime_secrets.json`).
The next time you run any signing command, the system automatically reads from the cache.

agent-wallet sign msg "Hello" -n tron -p "Abc12345!" --save-runtime-secrets

Issue: The --save-runtime-secrets feature stores the master password in a plaintext JSON file (~/.agent-wallet/runtime_secrets.json). The documentation presents this as "The ultimate convenience solution" without any accompanying :::danger or :::caution admonition. This is inconsistent with the treatment of Method C (inline -p) which does carry a :::danger warning. Storing the password in a local file exposes it to any process that can read the filesystem — exactly the threat model the security-focused Intro.md warns against. A user following this guide in good faith could store their password in plaintext without realising the risk.

Recommendation: Add a :::caution or :::danger block immediately after the code snippet explaining: (1) runtime_secrets.json stores the password in plaintext; (2) any process with filesystem read access can retrieve it; (3) prefer the AGENT_WALLET_PASSWORD environment variable for automated contexts since it is ephemeral and not persisted to disk.

FINDING-002 — Double-Quote Password Escape Fixed in New Docs but Only Partially Propagated

Severity: Minor
Files:

docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md
docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md
i18n/zh-Hans/…/SUNMCPServer/LocalPrivatizedDeployment.md
i18n/zh-Hans/…/TRONMCPServer/LocalPrivatizedDeployment.md

Code Evidence (diff):

-export AGENT_WALLET_PASSWORD="<your-master-password>"
+export AGENT_WALLET_PASSWORD='<your-master-password>'

Issue: The fix correctly changes double quotes to single quotes in the four LocalPrivatizedDeployment.md files. However, there may be other occurrences of double-quoted AGENT_WALLET_PASSWORD in the unchanged parts of these files or in other docs not touched by this PR. The TRON MCP Server FAQ diff at line 57 correctly updated one inline reference to Agent Wallet but the surrounding code block in the unchanged portion uses echo $AGENT_WALLET_PASSWORD (read, not write, so not directly a shell-expansion issue). The fix is directionally correct but developers should audit all remaining AGENT_WALLET_PASSWORD= examples across the doc tree.

Recommendation: Run a codebase-wide search for AGENT_WALLET_PASSWORD=" (double-quoted assignment) and update any remaining instances to single quotes with an inline shell-expansion caution.

Correctness & Logic Findings

FINDING-003 — `agent-wallet init` Command Referenced in Legacy Docs Was Correctly Removed

Severity: Positive (resolved in this PR — noted for completeness)
Files: docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md

Code Evidence (diff):

-2. **If the password is lost**, you'll need to re-initialize. Note: this creates a new wallet — funds in
-   the old wallet must be recovered through other means.
-   ```bash
-   agent-wallet init
-   ```
+If the password is lost, you'll need to re-initialize — see the [Agent-Wallet Quick Start](../../../Agent-Wallet/QuickStart) and [Agent-Wallet FAQ](../../../Agent-Wallet/FAQ) for details.

Note: The old docs referenced agent-wallet init which appears to be the deprecated command; the current CLI uses agent-wallet start. This PR correctly removes the inline stale command reference and delegates to the canonical documentation. No action required.

FINDING-004 — Python EVM Broadcast: `bytes.fromhex()` Assumes Hex Without `0x` Prefix

Severity: Minor
File: docs/Agent-Wallet/Developer/SDK-Cookbook.md, Python EVM transfer example (~line 368)

Code Evidence:

# Step 5: Broadcast
tx_hash = await w3.eth.send_raw_transaction(bytes.fromhex(signed_tx_hex))

Versus TypeScript counterpart:

// Step 5: Broadcast
const txResponse = await rpcProvider.broadcastTransaction("0x" + signedTxHex);

Issue: The TypeScript example explicitly prepends "0x" to the hex string before broadcasting, indicating the SDK returns a hex string without the 0x prefix. The Python example uses bytes.fromhex(signed_tx_hex) which also requires a plain hex string (without 0x prefix). This is technically consistent with each other, but:

There is no comment in the Python example explaining that signed_tx_hex does NOT have a 0x prefix (a common source of bugs).
If the underlying SDK ever changes to include 0x, the Python code would silently raise a ValueError from bytes.fromhex() while the TypeScript code would produce a string like "0x0x..." — both would fail but in different ways.

A brief inline comment (# SDK returns hex without 0x prefix) would prevent user confusion.

Recommendation: Add a comment in the Python example clarifying that signed_tx_hex is a raw hex string without 0x, mirroring the explicit "0x" + concatenation visible in the TypeScript version.

FINDING-005 — Sidebar `Agent Wallet` Category Is Not Translated in zh-Hans `current.json`

Severity: Minor
Files:

sidebars.js (English)
i18n/zh-Hans/docusaurus-plugin-content-docs/current/sidebars.js
i18n/zh-Hans/docusaurus-plugin-content-docs/current.json

Code Evidence:

English sidebars.js:

{
  type: 'category',
  label: 'Agent Wallet',
  collapsed: false,
  ...
}

i18n/zh-Hans/…/sidebars.js:

{
  type: 'category',
  label: 'Agent Wallet',   // ← still English
  collapsed: false,
  ...
}

i18n/zh-Hans/…/current.json additions:

"sidebar.docsSidebar.category.Developer": {
  "message": "开发者",
  "description": "The label for category Developer in sidebar docsSidebar"
}

Issue: The "Developer" sub-category label is correctly translated in current.json. However, the top-level "Agent Wallet" category label in the zh-Hans sidebars.js remains English. Other top-level categories in the same file use localized labels (e.g., "Openclaw 扩展插件"). The current.json file does not contain a translation key for the "Agent Wallet" top-level category. This means Chinese-language users will see "Agent Wallet" in English in the sidebar while all other categories appear in Chinese.

Recommendation: Either add a translation key for Agent Wallet in current.json (e.g., "Agent 钱包" or keep as-is if it is a product name), or update the zh-Hans sidebars.js to use the intended Chinese label directly, consistent with the treatment of other categories like "Openclaw 扩展插件".

FINDING-006 — `runtime_secrets.json` Password Cache Has No Documented Revocation/Cleanup Path

Severity: Minor
File: docs/Agent-Wallet/Developer/CLI-Reference.md

Issue: The documentation describes how to create a password cache with --save-runtime-secrets but provides no guidance on how to remove or invalidate the cache. If a user rotates their master password via agent-wallet change-password, the stale password in runtime_secrets.json will cause subsequent silent signing failures that may be difficult to diagnose. There is no "How to clear the cache" section.

Recommendation: Add a note under Method B explaining: (1) cached credentials in runtime_secrets.json do not auto-update when the master password changes via agent-wallet change-password; (2) users should delete ~/.agent-wallet/runtime_secrets.json after rotating their password and re-run with --save-runtime-secrets to re-cache.

Documentation Quality Findings

FINDING-007 — SDK-Cookbook x402 PaymentPermit Example Is Incomplete (No Error Handling, No Retry)

Severity: Minor
File: docs/Agent-Wallet/Developer/SDK-Cookbook.md, x402 section (~lines 408–510)

Code Evidence:

async function signPaymentPermit(authorization: {
  from: string;
  ...
}) {
  const provider = resolveWalletProvider({ network: "eip155:8453" });
  const wallet = await provider.getActiveWallet();
  ...
  const signature = await wallet.signTypedData(typedData);
  console.log("PaymentPermit signature:", signature);
  return signature;
}

Issue: Unlike the TRON and EVM transfer examples, which include try/catch via .catch(console.error) at the call site and explicit broadcast failure checks, the x402 example has no error handling at all. The function throws on wallet errors with no indication of what to do. This is especially important because the x402 use case is likely to be used in automated agent pipelines where unhandled promise rejections have significant consequences.

Recommendation: Add a try/catch block around the signing call (mirroring the error handling shown in the SDK Guide's Error Handling section) or add a note directing readers to the Error Handling section of the SDK Guide.

FINDING-008 — CI Workflow Branch Trigger Includes `update-mcp-server` — Should Be Cleaned Before Merge

Severity: Minor
File: .github/workflows/docker.yml

Code Evidence (diff):

-      - ai-bankofai-patch-1
+      - update-mcp-server

Issue: The workflow now triggers on pushes to update-mcp-server. After this PR merges into main, the update-mcp-server branch will likely be deleted. If the update-mcp-server branch trigger is not removed before or after the merge, the workflow config on main will permanently contain a reference to a non-existent branch. This is harmless at runtime (GitHub silently ignores triggers for deleted branches) but creates dead configuration that may confuse future maintainers.

Recommendation: Before or immediately after merging this PR into main, update .github/workflows/docker.yml to remove the update-mcp-server branch trigger and retain only main / master (and potentially a future named branch). Consider whether a develop or release/* wildcard pattern would be more maintainable than hardcoded feature branch names.

FINDING-009 — Commit Messages Provide No Useful History

Severity: Suggestion
Scope: All 20 commits in this PR

Code Evidence:

bc4a8f0 fix
e88dbfc update agent-wallet
a956313 update
57d7156 Create audit-pr.yml
6728342 update
1ebd798 Merge branch 'main' into update-mcp-server
822bdae fix
...

Issue: Every commit message is a single generic word: "fix", "update", "fiix" (sic), "fxi" (sic). None describe what was changed, why, or in which file. This makes git bisect, git blame, and changelog generation impossible.

Recommendation: Enforce a commit message convention (e.g., Conventional Commits: docs(agent-wallet): add CLI reference page) via a branch protection rule or pre-commit hook. At minimum, squash this PR into 2–3 descriptive commits before merging.

FINDING-010 — Password Inline Examples in CLI-Reference Use Weak Placeholder Password

Severity: Suggestion
File: docs/Agent-Wallet/Developer/CLI-Reference.md

Code Evidence:

agent-wallet start -p Abc12345!
agent-wallet sign msg "Hello" -n tron -p "Abc12345!"

Issue: All code examples use Abc12345! as the demonstration password. While clearly a placeholder, a user who copy-pastes literally could end up with a weak, publicly known password protecting their wallet. The Quick Start section correctly generates a random password and warns against reusing it, but the CLI Reference section provides examples with the same constant string throughout.

Recommendation: Use a more obviously-synthetic placeholder such as <YOUR_MASTER_PASSWORD> or your-master-password-here in CLI Reference examples, consistent with the style used in the LocalPrivatizedDeployment docs (<your-master-password>).

FINDING-011 — `Intro.md` Comparison Table Uses Non-Standard Docusaurus Emoji Syntax

Severity: Suggestion
File: docs/Agent-Wallet/Intro.md, lines 56–61

Code Evidence:

| | :x: Traditional (plaintext key) | :white_check_mark: Agent-wallet |
| **Log / env variable leak** | :rotating_light: **Total loss** | :shield: **Only the password leaks** |

Issue: This uses GitHub Flavored Markdown emoji shortcodes (:x:, :white_check_mark:, :rotating_light:, :shield:). Docusaurus does not natively render these; they rely on a plugin (e.g., remark-emoji) being configured. If the plugin is not enabled, the table will render literal colon-wrapped text. Other pages in the PR use Unicode emoji directly (e.g., 💰, 🔌, 🛡️) which always render correctly. The inconsistency could result in a broken comparison table.

Recommendation: Replace GitHub-style shortcodes with direct Unicode characters consistent with the rest of the documentation (e.g., ❌ for :x:, ✅ for :white_check_mark:, ⚠️ for :rotating_light:, 🛡️ for :shield:). Alternatively, confirm that remark-emoji is enabled in the Docusaurus config.

Positive Observations

Comprehensive, Well-Structured Documentation: The new Agent-Wallet section is thorough and logically sequenced: Intro → QuickStart → CLI Reference → SDK Guide → SDK Cookbook → FAQ. Each page links to the others in a "Next Steps" section at the bottom.
Dual-Language Parity: Every new and modified English page has a corresponding Chinese Simplified translation. The zh-Hans versions appear to be genuine translations, not machine-generated duplicates, and maintain the same structure.
Security-First Framing: The documentation consistently emphasizes secure practices. The Intro.md provides a compelling threat model. The SDK Guide clearly differentiates Local Vault mode (recommended) from Static Injection mode (dangerous), with prominent :::danger admonitions on the latter.
Practical Code Examples: The SDK Cookbook provides three complete, runnable end-to-end examples covering TRON, EVM (BSC), and x402 scenarios. Both TypeScript and Python are covered with language-specific idioms (e.g., asyncio for Python, ethers.js for TypeScript).
Fixing the Stale External Link: The MCP Server deployment docs previously linked to a GitHub README (https://github.com/BofAI/agent-wallet/blob/main/doc/getting-started.md) that may drift independently. These are now replaced with internal doc links, ensuring users always get the authoritative, versioned documentation.
Single-Quote Fix Propagated Consistently: The export AGENT_WALLET_PASSWORD='...' single-quote fix (preventing shell expansion of special characters) is applied consistently across all four LocalPrivatizedDeployment.md files and their zh-Hans counterparts.
Error Hierarchy Documented: The SDK Guide includes a clear error type tree (WalletError → WalletNotFoundError, DecryptionError, SigningError, etc.) with language-specific catch examples in both TypeScript and Python.
Dangerous Operations Clearly Marked: Both agent-wallet change-password and agent-wallet reset are placed under a dedicated "Dangerous Operations" heading with a top-level :::danger admonition, making the irreversibility prominent.
Internal Cross-Links Are Valid: All tested relative links (../QuickStart.md, ./SDK-Guide.md, ../../x402/index.md, ../../../Agent-Wallet/Intro, etc.) resolve to files that exist in the repository.

Review Verdict

Decision: REQUEST CHANGES

The PR is high-quality documentation work with good breadth, dual-language coverage, and strong security framing. However, the following issues should be addressed before merging:

Priority	Finding	Severity
Must fix	FINDING-001: `--save-runtime-secrets` missing security warning	Major
Should fix	FINDING-005: "Agent Wallet" sidebar label not translated in zh-Hans	Minor
Should fix	FINDING-006: No guidance on clearing the password cache after rotation	Minor
Should fix	FINDING-008: CI workflow will have dead branch trigger after merge	Minor
Consider	FINDING-004: Python broadcast example lacks `0x` prefix comment	Minor
Consider	FINDING-007: x402 example missing error handling	Minor
Consider	FINDING-009: All commit messages are non-descriptive	Suggestion
Consider	FINDING-010: Placeholder password `Abc12345!` used throughout	Suggestion
Consider	FINDING-011: Non-standard Docusaurus emoji shortcodes in comparison table	Suggestion

The blocking issue is FINDING-001: a feature that stores the master password in plaintext on disk is described as "the ultimate convenience solution" without any security warning. Given that this documentation's primary purpose is to guide users away from insecure private key handling, shipping a plaintext password cache recommendation without caveats would undermine the very security model the docs are built around.

github-actions · 2026-03-22T04:26:49Z

Code Review Report

Project: BofAI Docs (@x402-tron/docs)
PR: main → update-mcp-server
Review Date: 2026-03-22
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	21
Files Changed	31
Lines Added	+3,767
Lines Removed	-167

Commit History

Hash	Message
`b1bfecd`	update
`bc4a8f0`	fix
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update
`1ebd798`	Merge branch 'main' into update-mcp-server
`822bdae`	fix
`224d32d`	fiix
`3b87508`	fix
`824c0d7`	fix
`17c1057`	fix
`47b8030`	fxi
`7fe32d7`	Merge pull request #28 from BofAI/ai-bankofai-patch-1
`2e02cab`	fix
`5dfcb8a`	fix
`a541e97`	fix
`956060e`	fix
`e5f417e`	fix
`fb1737f`	Merge pull request #26 from BofAI/ai-bankofai-patch-1
`24cf00e`	fix

Review Summary

Verdict

Verdict: ⚠️ Request Changes

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	2	3	4

Summary

This PR adds a new Agent-Wallet documentation section to the BofAI docs site — a significant content addition comprising six new Markdown files covering introduction, quick start, FAQ, CLI reference, SDK guide, and SDK cookbook. It also refactors existing MCP Server docs to link to the new Agent-Wallet pages rather than duplicating setup instructions, updates sidebar navigation in both English and Chinese locales, bumps the package version to 1.2.4, and updates a GitHub Actions workflow branch filter.

The documentation is generally well-written, well-structured, and security-conscious — it consistently warns users about the dangers of plaintext private keys, recommends local vault mode, and uses correct shell quoting guidance. The refactored MCP Server docs are cleaner and benefit from the new centralized Agent-Wallet docs.

However, two major documentation security issues require attention before merge: the --save-runtime-secrets feature is documented without any warning about the plaintext password file it creates, and the QuickStart echo command silently breaks if the master password contains a single-quote character. These are documentation bugs that could mislead users into inadvertently weakening their security posture. Several minor issues also require correction, including missing i18n translation for the "Agent Wallet" sidebar label, and an unintended Docker build trigger on the feature branch.

Change Summary

1. New Agent-Wallet Documentation (6 new files)

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Product introduction and security value proposition
`docs/Agent-Wallet/QuickStart.md`	Added	3-step onboarding guide for non-technical users
`docs/Agent-Wallet/FAQ.md`	Added	Comprehensive FAQ covering security, UX, and installation
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Full CLI command reference with automation examples
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript/Python SDK usage guide with env var reference
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end runnable examples: TRON transfer, BSC transfer, x402 payment

Purpose: Centralize Agent-Wallet documentation, replacing scattered inline setup instructions in MCP Server docs.

2. MCP Server Docs Refactoring (5 modified files)

File	Change Type	Description
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Replaced inline wallet setup code with links to Agent-Wallet docs
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Removed duplicated install steps; linked to Agent-Wallet/Intro
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Replaced inline `agent-wallet init` steps with links; fixed command name
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Removed duplicated install steps; linked to Agent-Wallet/Intro
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Added hyperlinks to "Agent Wallet mode" references

Purpose: Remove content duplication; all wallet setup details now live in the Agent-Wallet section.

3. Cross-Linking and Minor Doc Fixes (2 modified files)

File	Change Type	Description
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	"Agent Wallet" text converted to hyperlink
`docs/Openclaw-extension/Intro.md`	Modified	`bankofai-recharge` entry converted from plain text to a hyperlink

4. Navigation and Configuration

File	Change Type	Description
`sidebars.js`	Modified	Added "Agent Wallet" sidebar category with nested "Explore Further" section
`i18n/zh-Hans/.../current/sidebars.js`	Modified	Added same sidebar category for Chinese locale
`i18n/zh-Hans/.../current.json`	Modified	Added `"Explore Further"` → `"进一步探索"` i18n label
`package.json`	Modified	Version bump 1.2.3 → 1.2.4
`.github/workflows/docker.yml`	Modified	Branch filter updated from `ai-bankofai-patch-1` to `update-mcp-server`

5. Chinese i18n Content (6 new files)

New Chinese translations under i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/ mirroring all six English Agent-Wallet docs.

Detailed Findings

Major

[MJ-01] `--save-runtime-secrets` Documented Without a Security Warning

Property	Value
Severity	Major
Category	Security / Documentation
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : Lines 107–122

Description

The CLI-Reference introduces --save-runtime-secrets as a "True 'Set and Forget'" convenience method, describing it as "the ultimate convenience solution" and explaining that the password is "permanently cached in a local file (~/.agent-wallet/runtime_secrets.json)." No warning is provided about the security implications of this approach.

This is a significant security documentation gap. The entire Agent-Wallet value proposition rests on a two-factor security model: (1) the encrypted vault file and (2) the unlock password are stored separately. The --save-runtime-secrets feature collapses this into a single-factor model: anyone with read access to ~/.agent-wallet/ now has both the encrypted vault AND the plaintext password in the same directory. This is substantially weaker than the advertised dual-lock security model, yet the documentation presents it as an equally valid option with no downside.

Compare to how Method C (-p flag inline) receives a prominent :::danger block warning about terminal history. --save-runtime-secrets stores the password to disk with no such warning.

Code

### Method B: Local Password Cache (True "Set and Forget")

The ultimate convenience solution. After running a command once with the
`--save-runtime-secrets` flag, the password is permanently cached in a
local file (`~/.agent-wallet/runtime_secrets.json`). The next time you run
any signing command, the system automatically reads from the cache. No need
for inline passwords or environment variables:

```bash
agent-wallet sign msg "Hello" -n tron -p "Abc12345!" --save-runtime-secrets


**Recommendation**

Add a `:::caution` or `:::danger` admonition explaining that this stores the password in the same directory as the encrypted vault, reducing the dual-lock security model to a single-lock. Recommend this method only for fully isolated machines or development environments, and advise users to verify the file permissions of `runtime_secrets.json`:

```markdown
:::danger Security Trade-off: Collapses Dual-Lock to Single-Lock
`runtime_secrets.json` is stored **in the same directory as your encrypted
wallet file** (`~/.agent-wallet/`). This means anyone who can read that
directory now has both the password AND the encrypted keystore in one place —
the "two separate locks" security model no longer applies.

Only use this method on machines where the `~/.agent-wallet/` directory is
inaccessible to other users or processes. On shared or multi-tenant systems,
prefer Method A (environment variable injection) instead.
:::

[MJ-02] `echo` Command in QuickStart Silently Corrupts Passwords Containing Single Quotes

Property	Value
Severity	Major
Category	Correctness / Documentation
File	`docs/Agent-Wallet/QuickStart.md` : Lines 84–110

Description

The QuickStart guide instructs users to persist their master password with:

echo "export AGENT_WALLET_PASSWORD='your-master-password'" >> ~/.zshrc

The surrounding :::caution block correctly warns about $ and ! characters, instructing users to keep the single quotes. However, the documentation does not address the case where the master password itself contains a single-quote character (').

If a user's auto-generated password is, for example, P@ss'w0rd!, the resulting shell config line would be:

export AGENT_WALLET_PASSWORD='P@ss'w0rd!''

This is a shell syntax error. In some shells (e.g., bash) the variable would be silently set to P@ss (truncated at the first '), causing all subsequent signing commands to fail with an incorrect-password error — potentially leading users to believe their wallet is corrupted and reinitialize unnecessarily, losing access to funds if they have no mnemonic backup.

Code

**Step 1:** Copy the command below, replace the content inside the single quotes
with your actual password, paste it into the terminal and press Enter:

```bash
echo "export AGENT_WALLET_PASSWORD='your-master-password'" >> ~/.zshrc

:::caution Password has special characters? Don't touch the single quotes!
...

✅ Correct — single quotes, password saved as-is

echo "export AGENT_WALLET_PASSWORD='P@ss$w0rd!'" >> ~/.zshrc


**Recommendation**

Either:

1. **Verify that the `agent-wallet start` password generator never produces passwords containing single quotes** (acceptable if true, but should be documented), and add a note: *"Note: if you set your own password manually, avoid using single-quote characters."*

2. **Or document a `printf`-safe alternative** for arbitrary passwords:

```bash
# Handles any character including single quotes safely
printf "export AGENT_WALLET_PASSWORD='%s'\n" "$(printf '%s' 'your-master-password' | sed "s/'/'\\\\''/g")" >> ~/.zshrc

Option 1 is simpler and consistent with the beginner-friendly tone of the QuickStart page.

Minor

[MN-01] "Agent Wallet" Sidebar Category Missing Chinese Translation

Property	Value
Severity	Minor
Category	Documentation / i18n
File	`i18n/zh-Hans/docusaurus-plugin-content-docs/current/sidebars.js` : Lines 149–169

Description

The newly added "Agent Wallet" sidebar category label is left in English in the Chinese-locale sidebar (i18n/zh-Hans/.../sidebars.js). All other top-level categories in the same file have been translated (e.g., 'Openclaw 扩展插件', 'MCP Server' with Chinese subcategories). The nested subcategory "Explore Further" is correctly translated to '进一步探索', making the untranslated parent label an inconsistency.

Code

// i18n/zh-Hans/.../sidebars.js
{
  type: 'category',
  label: 'Agent Wallet',   // <-- English label in Chinese locale
  collapsed: false,
  items: [
    'Agent-Wallet/Intro',
    'Agent-Wallet/QuickStart',
    {
      type: 'category',
      label: '进一步探索',   // <-- Correctly translated
      ...
    },
    'Agent-Wallet/FAQ',
  ],
},

Recommendation

Either add a Chinese label:

label: 'Agent 钱包',

Or, if "Agent Wallet" is intentionally kept as a brand name, add a comment noting the decision:

label: 'Agent Wallet',  // Kept as brand name, intentionally untranslated

[MN-02] Docker Workflow Triggers Build/Push on Every Push to Feature Branch

Property	Value
Severity	Minor
Category	CI/CD
File	`.github/workflows/docker.yml` : Lines 5–16

Description

The Docker workflow now includes update-mcp-server in its push trigger list. As a result, every commit pushed to this feature branch (21 commits in this PR) triggers a Docker image build and push to Docker Hub with the test tag, overwriting the same tag repeatedly. This consumes unnecessary CI minutes, creates noisy image history, and risks pushing unstable documentation states to the test Docker tag.

The PR is still open, meaning this branch is likely to receive more commits before merge — each one will trigger another Docker build.

Code

on:
  push:
    branches:
      - main
      - master
      - update-mcp-server   # <-- feature branch triggers build + push
  pull_request:
    branches:
      - main
      - master
      - update-mcp-server

Recommendation

Remove update-mcp-server from the push trigger. The pull_request trigger (which runs on PR events but skips the push step) is sufficient for CI validation during development:

on:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
      - update-mcp-server
  workflow_dispatch:

[MN-03] Inconsistent Commit Messages Obscure Change History

Property	Value
Severity	Minor
Category	Code Quality / Maintainability
File	Commit history

Description

The majority of commits on this branch use non-descriptive messages (fix, fiix, fxi, update, update agent-wallet). With 21 commits and only a handful carrying meaningful messages, the branch history does not convey what was actually changed in each commit. This makes it difficult to bisect regressions, understand the evolution of the documentation, or identify which commit introduced a specific change without diffing each one individually.

Recommendation

Before merge, consider squashing or rebasing the branch into logical commits with descriptive messages, for example:

docs: add Agent-Wallet introduction and quick start guide
docs: add Agent-Wallet developer docs (CLI reference, SDK guide, cookbook)
docs: refactor MCP server docs to link to Agent-Wallet section
config: add Agent-Wallet sidebar navigation and i18n labels
ci: update docker workflow branch filter to update-mcp-server
chore: bump version to 1.2.4

Suggestions

[S-01] `package.json` Description Does Not Reflect Expanded Project Scope

File: package.json
Description: The description field still reads "x402-tron documentation", but the repository now covers Agent-Wallet, MCP Servers (TRON and SUN), Skills, and the Openclaw Extension. The narrow description may be misleading to contributors and automated tooling.
Suggestion: Update to something broader: "BofAI ecosystem documentation — Agent-Wallet, MCP Servers, Skills, and Openclaw Extension".

[S-02] `AGENT_WALLET_DIR` Environment Variable Example Uses Potentially Non-Expanding Tilde

File: docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md, docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md
Description: The example:

export AGENT_WALLET_DIR="~/.agent-wallet"

places a tilde inside double quotes. In bash and zsh, tilde expansion does not occur inside double quotes, so this would literally set AGENT_WALLET_DIR to the string ~/.agent-wallet rather than the expanded /home/username/.agent-wallet. Whether the Agent-Wallet tool handles tilde expansion internally is not documented. This may cause unexpected directory not found errors on some systems.
Suggestion: Use $HOME for reliable expansion across all shells:

export AGENT_WALLET_DIR="$HOME/.agent-wallet"

[S-03] `--save-runtime-secrets` Flow Does Not Show File Location Verification

File: docs/Agent-Wallet/Developer/CLI-Reference.md : Lines 107–122
Description: The --save-runtime-secrets feature stores credentials to ~/.agent-wallet/runtime_secrets.json but the documentation does not mention how to verify the file was created, what its structure looks like, or how to revoke/delete the cached secret if needed.
Suggestion: Add a note about how to list and remove cached secrets:

# View cached secrets (check what's stored)
cat ~/.agent-wallet/runtime_secrets.json

# Revoke cached secrets (forces password prompt on next run)
rm ~/.agent-wallet/runtime_secrets.json

[S-04] SDK-Cookbook EVM Example Uses Non-Null Assertion Without Error Handling

File: docs/Agent-Wallet/Developer/SDK-Cookbook.md : Lines ~270–285
Description: The TypeScript EVM transfer example contains:

maxFeePerGas: feeData.maxFeePerGas!,
maxPriorityFeePerGas: feeData.maxPriorityFeePerGas!,

The ! non-null assertions suppress TypeScript's safety check. On legacy networks or certain RPC providers, feeData.maxFeePerGas may be null (EIP-1559 not supported), causing a runtime crash. Since this is a "copy and run" cookbook example, users may deploy this pattern in production without realizing the risk.
Suggestion: Add a null check with a clear error message:

if (!feeData.maxFeePerGas || !feeData.maxPriorityFeePerGas) {
  throw new Error("Network does not support EIP-1559. Use a legacy gas price instead.");
}
const unsignedTx = {
  ...
  maxFeePerGas: feeData.maxFeePerGas,
  maxPriorityFeePerGas: feeData.maxPriorityFeePerGas,
  ...
};

Positive Observations

Area	Observation
Security messaging	Consistent, well-calibrated security warnings throughout all new docs — the `:::danger` and `:::caution` admonitions are placed appropriately and the dual-lock security model is clearly explained in multiple places
Shell quoting guidance	Correct and prominent single-quote guidance for passwords with special characters (`$`, `!`) — a common footgun that the docs handle well
Non-interactive mode coverage	CLI-Reference covers all three non-interactive patterns (env var, cached secret, inline `-p`) with clear use-case guidance for AI agents and CI pipelines
Code example quality	SDK-Cookbook examples are complete end-to-end scripts with real API endpoints, error handling, and testnet-first defaults — users can genuinely copy-paste and run them
MCP docs refactoring	Removing duplicated wallet-setup code from MCP Server docs and replacing it with links is the right architectural decision — single source of truth reduces drift risk
i18n completeness	All six new English docs have corresponding Chinese translations, and the new i18n sidebar key is added to `current.json` correctly
Security quote fix	`LocalPrivatizedDeployment.md` (both SUN and TRON) corrects `export AGENT_WALLET_PASSWORD="..."` (double quotes) to `export AGENT_WALLET_PASSWORD='...'` (single quotes) — a concrete security improvement
Cross-linking	The new docs are well cross-linked: each page in the Agent-Wallet section ends with a "Next Steps" table pointing to related pages
Docusaurus integration	New sidebar correctly uses the `collapsed: false` / `collapsed: true` pattern for progressive disclosure — high-value pages (Intro, QuickStart, FAQ) are always visible; developer docs are nested under "Explore Further"

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	6	5	1	0	MJ-02: `echo` command with single-quote passwords
Security	8	7	1	0	MJ-01: `--save-runtime-secrets` lacks security warning
Performance	7	0	0	7	Documentation-only PR, not applicable
Code Quality	6	3	2	1	MN-03: commit messages; S-04: non-null assertions in examples
Testing	6	0	0	6	Documentation-only PR, not applicable
Documentation	6	4	2	0	MN-01: missing i18n translation; S-02: tilde expansion
Compatibility	5	4	0	1
Observability	4	0	0	4	Documentation-only PR, not applicable

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between main and update-mcp-server. Runtime behavior, integration testing (e.g., actual Docusaurus build validation, broken link checking), and deployment impact are not covered. Actual behavior of the --save-runtime-secrets feature and the Agent-Wallet password generator's character set were inferred from documentation alone and should be verified against the implementation.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-22

github-actions · 2026-03-22T04:36:38Z

Code Review Report

Project: x402-tron/docs
PR: main → update-mcp-server
Review Date: 2026-03-22
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	22
Files Changed	31
Lines Added	+3,775
Lines Removed	-167

Commit History

Hash	Message
`cf49298`	fix
`b1bfecd`	update
`bc4a8f0`	fix
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update
`1ebd798`	Merge branch 'main' into update-mcp-server
`822bdae`	fix
`224d32d`	fiix
`3b87508`	fix
`824c0d7`	fix
`17c1057`	fix
`47b8030`	fxi
`7fe32d7`	Merge pull request #28
`2e02cab`	fix
`5dfcb8a`	fix
`a541e97`	fix
`956060e`	fix
`e5f417e`	fix
`fb1737f`	Merge pull request #26
`24cf00e`	fix

Review Summary

Verdict

Verdict: Request Changes

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	2	3	4

Summary

This PR introduces a comprehensive new Agent Wallet documentation section (6 new pages in English + 6 Chinese translations) and updates existing MCP Server documentation to cross-reference the new material. The documentation covers installation, CLI usage, SDK integration (TypeScript & Python), and full end-to-end code examples including real blockchain transactions on TRON and BSC.

The overall quality of the documentation content is high — it is well-structured, includes appropriate security warnings, and provides useful bilingual coverage. The security guidance is sound: the docs correctly recommend encrypted local vault mode over plaintext private key exposure, explain the two-lock security model, and warn readers explicitly about the risks of static injection mode and plaintext password caching.

Two Major issues were found in the SDK Cookbook's TypeScript code examples that developers are likely to copy verbatim into production: a non-null assertion on feeData fields that can legitimately be null, and the use of TypeScript non-null assertions more broadly in a pattern that promotes unsafe practices. Additionally, several minor and suggestion-level concerns relate to the CI workflow trigger becoming stale after merge, missing HTTP response status code checks in Python cookbook examples, and minor formatting inconsistencies in the Chinese translation files.

Change Summary

1. New Agent Wallet Documentation (English)

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Security introduction: threat model, two-lock design, comparison table
`docs/Agent-Wallet/QuickStart.md`	Added	3-step onboarding guide for non-developers
`docs/Agent-Wallet/FAQ.md`	Added	FAQ covering security, wallet types, installation, OpenClaw integration
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Complete CLI command reference including automation/non-interactive modes
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	SDK integration guide for TypeScript and Python with code examples
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end runnable examples: TRON transfer, BSC/EVM transfer, x402 PaymentPermit signing

Purpose: Introduce a new first-class documentation section for the @bankofai/agent-wallet tool, replacing scattered inline instructions across MCP Server pages with a canonical reference.

2. New Agent Wallet Documentation (Chinese / i18n)

File	Change Type	Description
`i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/Intro.md`	Added	Chinese translation of Intro
`i18n/zh-Hans/.../Agent-Wallet/QuickStart.md`	Added	Chinese translation of QuickStart
`i18n/zh-Hans/.../Agent-Wallet/FAQ.md`	Added	Chinese translation of FAQ
`i18n/zh-Hans/.../Agent-Wallet/Developer/CLI-Reference.md`	Added	Chinese translation of CLI Reference
`i18n/zh-Hans/.../Agent-Wallet/Developer/SDK-Guide.md`	Added	Chinese translation of SDK Guide
`i18n/zh-Hans/.../Agent-Wallet/Developer/SDK-Cookbook.md`	Added	Chinese translation of SDK Cookbook
`i18n/zh-Hans/.../current.json`	Modified	Added Chinese label for "Explore Further" → "进一步探索"

Purpose: Provide full bilingual coverage for the new documentation.

3. Sidebar Navigation Updates

File	Change Type	Description
`sidebars.js`	Modified	Added "Agent Wallet" sidebar category with nested items
`i18n/zh-Hans/.../current/sidebars.js`	Modified	Mirror of English sidebar update for the Chinese locale

Purpose: Make the new Agent Wallet section discoverable in the left-hand documentation navigation.

4. MCP Server Documentation Updates

File	Change Type	Description
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Replaced inline Agent Wallet setup instructions with links to new docs; condensed verbose troubleshooting steps
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Replaced inline install steps with link to new docs; fixed password quoting (`"` → `'`)
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Hyperlinked "Agent Wallet" references; condensed troubleshooting steps
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Same as SUN equivalent — links + quoting fix
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Added hyperlinks on "Agent Wallet" tool mode labels
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Hyperlinked "Agent Wallet" text
`docs/Openclaw-extension/Intro.md`	Modified	Made `bankofai-recharge` entry in table a clickable hyperlink

Purpose: DRY up Agent Wallet setup instructions across all MCP Server pages, pointing to the new canonical docs; fix the incorrect double-quote password variable pattern.

5. Configuration & CI Changes

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Replaced `ai-bankofai-patch-1` branch trigger with `update-mcp-server`
`package.json`	Modified	Version bump `1.2.3` → `1.2.4`

Purpose: Keep the Docker CI workflow aligned with the active development branch; increment package version.

Detailed Findings

Major

[MJ-01] Non-null Assertions on `feeData` Fields in TypeScript EVM Example

Property	Value
Severity	Major
Category	Correctness / Code Quality
File	`docs/Agent-Wallet/Developer/SDK-Cookbook.md` : Lines 543–555

Description

The TypeScript BSC transfer example uses the non-null assertion operator (!) on feeData.maxFeePerGas and feeData.maxPriorityFeePerGas. These fields are typed as bigint | null in ethers.js v6 — they return null when queried on non-EIP-1559 networks or when legacy gas price mode is in effect. Using ! suppresses the TypeScript compiler error but causes a silent null to be passed into the transaction object, which will result in a transaction submission failure or 0 gas being applied on certain chains.

Since this is example code that developers will copy directly into production, demonstrating unsafe non-null assertions sets a poor precedent and may lead to bugs in user code.

Code

// docs/Agent-Wallet/Developer/SDK-Cookbook.md
const feeData = await rpcProvider.getFeeData();

const unsignedTx = {
  to: toAddress,
  value: ethers.parseEther(amountEther),
  gas: 21000n,
  maxFeePerGas: feeData.maxFeePerGas!,           // ← null assertion
  maxPriorityFeePerGas: feeData.maxPriorityFeePerGas!,  // ← null assertion
  nonce,
  chainId: CHAIN_ID,
  type: 2, // EIP-1559
};

Recommendation

const feeData = await rpcProvider.getFeeData();

if (!feeData.maxFeePerGas || !feeData.maxPriorityFeePerGas) {
  throw new Error(
    "Network does not support EIP-1559 fee data. " +
    "Try switching to a legacy gas price transaction (type: 0)."
  );
}

const unsignedTx = {
  to: toAddress,
  value: ethers.parseEther(amountEther),
  gas: 21000n,
  maxFeePerGas: feeData.maxFeePerGas,
  maxPriorityFeePerGas: feeData.maxPriorityFeePerGas,
  nonce,
  chainId: CHAIN_ID,
  type: 2,
};

[MJ-02] Stale `agent-wallet init` → `agent-wallet start` Transition Not Explicitly Noted

Property	Value
Severity	Major
Category	Documentation / Correctness
File	`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md` : Lines 91–99

Description

The old TRON MCP Server FAQ section contained an explicit agent-wallet init command as the re-initialization command (removed in this PR). The new Agent Wallet documentation consistently uses agent-wallet start for wallet initialization. The deletion of the old block is appropriate, but users who previously bookmarked or cached the old instructions and then search for agent-wallet init will find no documentation about the command change.

More critically, the TRONMCPServer/FAQ.md previously had a clear code block showing agent-wallet init as the recovery path. The replacement just says "see the Agent-Wallet Quick Start" — but the new QuickStart only shows agent-wallet start for new wallets, not specifically for the "reset + re-initialize after password loss" scenario. This leaves a gap in the troubleshooting story.

Code

-2. **If the password is lost**, you'll need to re-initialize. Note: this creates a new wallet — funds in the old wallet must be recovered through other means.
-   ```bash
-   agent-wallet init
-   ```
+If the password is lost, you'll need to re-initialize — see the [Agent-Wallet Quick Start](../../../Agent-Wallet/QuickStart) and [Agent-Wallet FAQ](../../../Agent-Wallet/FAQ) for details.

Recommendation

Add an explicit note that agent-wallet init was renamed to agent-wallet start, or add a "Reset & Re-initialize" section to docs/Agent-Wallet/FAQ.md that explicitly documents the recovery workflow with the current agent-wallet reset + agent-wallet start sequence. The FAQ.md mentions agent-wallet reset but could be more explicit for the "after losing your password" scenario.

If the password is lost, you'll need to re-initialize your wallet using
`agent-wallet reset` followed by `agent-wallet start` — see [Agent-Wallet FAQ](../../../Agent-Wallet/FAQ#-what-if-i-forget-my-password)
for details. **Note**: This permanently deletes the old wallet; ensure you have
a mnemonic backup before proceeding.

Minor

[MN-01] CI Workflow Branch Trigger Will Be Stale After Merge

Property	Value
Severity	Minor
Category	Compatibility / Maintainability
File	`.github/workflows/docker.yml` : Lines 9–18

Description

The Docker build workflow now triggers on push and pull_request events targeting the update-mcp-server branch. Once this PR is merged into main, the update-mcp-server branch will no longer be the active development branch. The workflow trigger will remain forever, triggering builds for a branch that may never receive another push, or worse, may be reused for an unrelated purpose in the future.

Code

on:
  push:
    branches:
      - main
      - master
      - update-mcp-server   # ← becomes stale post-merge
  pull_request:
    branches:
      - main
      - master
      - update-mcp-server   # ← becomes stale post-merge

Recommendation

Remove the update-mcp-server branch trigger as a follow-up after this PR is merged, or use a wildcard pattern to capture all feature branches:

on:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
  workflow_dispatch:

[MN-02] Python Cookbook Examples Do Not Check HTTP Response Status Codes

Property	Value
Severity	Minor
Category	Correctness / Code Quality
File	`docs/Agent-Wallet/Developer/SDK-Cookbook.md` : Lines 420–453

Description

The Python TRON transfer example uses aiohttp to call TronGrid endpoints but does not check resp.status before attempting to parse the JSON body. If TronGrid returns a 4xx or 5xx error, await resp.json() will succeed (parsing the error JSON body), but the code will fall through to the txID check without signaling the HTTP error condition clearly. This is a teachable moment that the docs miss, and developers copying this code may find silent failures in error scenarios.

Code

async with session.post(
    f"{TRONGRID_API}/wallet/createtransaction",
    json={...},
) as resp:
    unsigned_tx = await resp.json()   # no status check

if "txID" not in unsigned_tx:
    raise ValueError(f"Failed to build transaction: {unsigned_tx}")

Recommendation

async with session.post(
    f"{TRONGRID_API}/wallet/createtransaction",
    json={...},
) as resp:
    resp.raise_for_status()  # raises ClientResponseError on 4xx/5xx
    unsigned_tx = await resp.json()

if "txID" not in unsigned_tx:
    raise ValueError(f"Failed to build transaction: {unsigned_tx}")

[MN-03] Missing Blank Line Before `---` Separator in Chinese CLI Reference

Property	Value
Severity	Minor
Category	Documentation / Formatting
File	`i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/Developer/CLI-Reference.md` : Lines 2350–2352

Description

The Chinese CLI Reference is missing a blank line before the --- horizontal rule that closes the shell script example section. This may cause Docusaurus/MDX to render the --- as a continuation of the preceding fenced code block instead of a thematic break, resulting in incorrect page rendering.

Code

# 接下来，你可以拿这个 $SIGNATURE 去发请求、拼 JSON，或者传给其他流水线任务...

--- ← no blank line before this


**Recommendation**

```markdown
# 接下来，你可以拿这个 $SIGNATURE 去发请求、拼 JSON，或者传给其他流水线任务...


Note: The corresponding English file (`docs/Agent-Wallet/Developer/CLI-Reference.md`) correctly has a blank line before this separator (line 218 in the diff). The Chinese version should be updated to match.

---

### Suggestions

#### [S-01] SDK-Cookbook TypeScript: Verify `signedTxHex` Prefix Assumption is Documented

**File:** `docs/Agent-Wallet/Developer/SDK-Cookbook.md` : Lines 563–564
**Description:** The code calls `rpcProvider.broadcastTransaction("0x" + signedTxHex)`, which assumes `wallet.signTransaction()` returns a hex string *without* the `0x` prefix. While the SDK Guide does state this ("all signing methods return a hex-encoded signature string (without the `0x` prefix)"), this implicit contract is not re-stated in the Cookbook where the code is likely to be copied in isolation.
**Suggestion:** Add an inline comment to make this assumption explicit:
```typescript
// wallet.signTransaction() returns hex without the "0x" prefix
const txResponse = await rpcProvider.broadcastTransaction("0x" + signedTxHex);

[S-02] `QuickStart.md` Step 2: Echo Command May Double-Write if Already Configured

File: docs/Agent-Wallet/QuickStart.md : Lines 1816–1817
Description: The recommended command echo "export AGENT_WALLET_PASSWORD='your-master-password'" >> ~/.zshrc will append the export line every time the user runs it. If a user follows the guide twice (e.g., after a password change), they will end up with duplicate entries in their shell config, with the older entry shadowing the newer one on some systems.
Suggestion: Either document this caveat, or recommend a pattern that checks for and replaces existing entries:

# Safer: replace existing entry if present, append if not
grep -q 'AGENT_WALLET_PASSWORD' ~/.zshrc \
  && sed -i "s|export AGENT_WALLET_PASSWORD=.*|export AGENT_WALLET_PASSWORD='your-master-password'|" ~/.zshrc \
  || echo "export AGENT_WALLET_PASSWORD='your-master-password'" >> ~/.zshrc

Alternatively, simply add a note: "If you've already configured this, edit ~/.zshrc directly instead of running the echo command again."

[S-03] `SDK-Guide.md`: `AGENT_WALLET_DIR` Default Uses `~` Which May Not Expand in All Contexts

File: docs/Agent-Wallet/Developer/SDK-Guide.md : Line 980 (Environment Variable Reference table)
Description: The table shows the default for AGENT_WALLET_DIR as ~/.agent-wallet. However, ~ is a shell shorthand that does not expand in all programming contexts (e.g., Python's os.path.exists("~/.agent-wallet") would fail). The docs don't clarify that the SDK resolves ~ to the home directory.
Suggestion: Clarify that the SDK handles home directory resolution, or show the expansion explicitly: "$HOME/.agent-wallet".

[S-04] `LocalPrivatizedDeployment.md`: Leftover `AGENT_WALLET_DIR` Still Uses Double Quotes

File: docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md : Lines 2001–2003 (diff context)
Description: The PR correctly changes AGENT_WALLET_PASSWORD to use single quotes, but the accompanying AGENT_WALLET_DIR line in the same block still uses double quotes. While ~/.agent-wallet doesn't contain shell-special characters that would cause a problem, it's inconsistent with the now-established single-quote convention. The same applies to the TRON equivalent.

Code:

export AGENT_WALLET_PASSWORD='<your-master-password>'

# Optional: specify custom wallet directory (default: ~/.agent-wallet)
export AGENT_WALLET_DIR="~/.agent-wallet"   # ← still double quotes

Suggestion: Either use single quotes consistently, or document why double quotes are acceptable here (the path contains no special characters). Consistency reduces user confusion.

Positive Observations

Area	Observation
Security Warnings	The documentation is exemplary in clearly marking security-sensitive operations with `:::danger` and `:::caution` admonitions. Every insecure pattern (inline `-p`, `--save-runtime-secrets`, static injection mode) is accompanied by a prominent, plaintext-language warning.
Single-quote Fix	The PR correctly fixes `export AGENT_WALLET_PASSWORD="..."` (double quotes) to `export AGENT_WALLET_PASSWORD='...'` (single quotes) in all modified deployment guides — a subtle but important security improvement that prevents shell expansion of special characters in passwords.
Bilingual Coverage	All 6 new English pages have corresponding Chinese (zh-Hans) translations, and the sidebar navigation and translation JSON are correctly synchronized.
Error Handling in SDK Examples	The SDK Guide's error handling section is thorough — it documents all error types, shows proper `try/catch` patterns in both TypeScript and Python, and includes the error type hierarchy.
Code Quality in Examples	Python examples correctly use `asyncio` with `aiohttp` async context managers, and properly `await` async calls throughout. TypeScript examples use ethers.js v6 idioms correctly (e.g., `ethers.parseEther`, `ethers.JsonRpcProvider`).
DRY Principle Applied	The refactoring of Agent Wallet setup instructions from inline blocks in each MCP Server page to a single canonical documentation section is a textbook application of the DRY principle, significantly reducing maintenance burden.
Security Model Documentation	The `Intro.md` threat model (environment variable scanning, dependency poisoning, git history leaks) is clear, technically accurate, and compelling. The two-lock security model explanation is well articulated.
Password Special Character Guidance	The consistent, repeated guidance about using single quotes for passwords containing `$`, `!`, and other shell-special characters — with explicit correct/incorrect examples — is excellent defensive documentation.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	6	4	2	0	Non-null assertions (MJ-01); stale command reference (MJ-02)
Security	8	8	0	0	All sensitive operations properly warned
Performance	7	0	0	7	Documentation-only PR; not applicable
Code Quality	8	6	2	0	Non-null assertion pattern (MJ-01); missing HTTP status check (MN-02)
Testing	5	0	0	5	Documentation-only PR; not applicable
Documentation	6	5	1	0	Formatting issue in zh-Hans file (MN-03)
Compatibility	4	3	1	0	Stale CI branch trigger (MN-01)
Observability	4	0	0	4	Documentation-only PR; not applicable

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between main and update-mcp-server. Runtime behavior, integration testing, and deployment impact are not covered.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-22

github-actions · 2026-03-22T04:52:46Z

Code Review Report

Project: x402-tron/docs
PR: main → update-mcp-server
Review Date: 2026-03-22
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	23
Files Changed	31
Lines Added	+3,807
Lines Removed	-176

Commit History

Hash	Message
`b8ea082`	fix
`cf49298`	fix
`b1bfecd`	update
`bc4a8f0`	fix
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update
`1ebd798`	Merge branch 'main' into update-mcp-server
`822bdae`	fix
`224d32d`	fiix
`3b87508`	fix
`824c0d7`	fix
`17c1057`	fix
`47b8030`	fxi
`7fe32d7`	Merge pull request #28 from BofAI/ai-bankofai-patch-1
`2e02cab`	fix
`5dfcb8a`	fix
`a541e97`	fix
`956060e`	fix
`e5f417e`	fix
`fb1737f`	Merge pull request #26 from BofAI/ai-bankofai-patch-1
`24cf00e`	fix

Review Summary

Verdict

Verdict: Approve (with minor suggestions)

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	1	4	4

Summary

This PR introduces the Agent Wallet documentation section — a new first-class product area covering installation, quick start, CLI reference, SDK guide, and SDK cookbook. In addition to the 6 new documentation files, the PR updates existing MCP Server docs to link to the new Agent Wallet section instead of repeating inline instructions, cleans up a security-sensitive debug step in the CI workflow, and bumps the package version. The i18n mirror (zh-Hans) is also kept in sync with all new and changed content.

The overall quality of this PR is high. The new documentation is comprehensive, well-structured, and internally cross-linked. A notable security improvement is the removal of a CI step that was printing Docker Hub credentials to build logs. A Major finding is raised regarding an inherently insecure wallet type (raw_secret) that is documented without sufficient emphasis on the risks it carries for a security-focused product. Several Minor findings relate to plaintext-secret features that are documented but represent risk surface worth addressing, one potentially broken cross-link, and a CI workflow concern.

Change Summary

1. CI/CD Workflow Update

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Replaced `ai-bankofai-patch-1` branch trigger with `update-mcp-server`; removed debug step that printed Docker Hub credentials

Purpose: Update CI to track the new feature branch and remove a security anti-pattern (logging credential metadata).

2. Package Version Bump

File	Change Type	Description
`package.json`	Modified	Version `1.2.3` → `1.2.4`

Purpose: Reflect the documentation content additions in the package version.

3. Navigation / Sidebar Registration

File	Change Type	Description
`sidebars.js`	Modified	Added "Agent Wallet" category with Intro, QuickStart, Explore Further sub-group (CLI, SDK Guide, SDK Cookbook), and FAQ
`i18n/zh-Hans/docusaurus-plugin-content-docs/current.json`	Modified	Added `"Explore Further"` → `"进一步探索"` sidebar label translation
`i18n/en/docusaurus-plugin-content-docs/current/sidebars.js`	Added	English locale sidebars mirror with same Agent Wallet category structure

Purpose: Surface the new Agent Wallet section in the site navigation.

4. New Agent Wallet Documentation (English + zh-Hans)

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Product intro, security model, chain support matrix, user path routing
`docs/Agent-Wallet/QuickStart.md`	Added	Step-by-step zero-to-signed walkthrough for non-developers
`docs/Agent-Wallet/FAQ.md`	Added	Risk FAQ, wallet types, security model deep-dive, troubleshooting
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Full CLI command reference including all flags, password strategies, dangerous operations
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript/Python SDK integration guide
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end runnable examples: TRON transfer, BSC transfer, x402 payment signing
`i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/*`	Added	Full zh-Hans mirrors of all 6 files above

Purpose: Provide complete documentation for the Agent Wallet product across user levels (casual user → developer).

5. Updated MCP Server Documentation

File	Change Type	Description
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Replaced verbose inline Agent Wallet setup steps with concise references and links to the new Agent Wallet section
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Replaced GitHub external link with internal Agent-Wallet/Intro link; consolidated multi-wallet note; changed `"` to `'` for password quoting
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Same pattern — inline steps replaced with links; added note about `AGENT_WALLET_DIR`
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Same as SUN version
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	`list_wallets` and `select_wallet` tool descriptions now link to Agent Wallet intro
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	"Agent Wallet" text replaced with hyperlink to new section
`docs/Openclaw-extension/Intro.md`	Modified	`bankofai-recharge` entry now links to the MCP endpoint URL
`i18n/zh-Hans/...` mirror files	Modified	Same changes in zh-Hans locale

Purpose: DRY the documentation — remove duplicate instructions and point readers to the canonical Agent Wallet section.

Detailed Findings

Major

[MJ-01] `raw_secret` Wallet Type Documents Insecure Plaintext Key Storage Without Adequate Deterrence

Property	Value
Severity	Major
Category	Security / Documentation
File	`docs/Agent-Wallet/FAQ.md` : Lines 66–77; `docs/Agent-Wallet/Developer/SDK-Guide.md` (static mode); `docs/Agent-Wallet/Developer/SDK-Cookbook.md` (Prerequisites section)

Description

The raw_secret wallet type stores the private key in plaintext on disk. The documentation describes this in a comparison table with the caption "Always use local_secure", but then proceeds to document static-mode environment variables (AGENT_WALLET_PRIVATE_KEY) as a first-class feature throughout the SDK Guide and Cookbook prerequisites. The product's core value proposition is eliminating plaintext key exposure, yet raw_secret directly contradicts this — and it is documented without a :::danger callout or equivalent prominent warning.

A user following the SDK Cookbook prerequisites could inadvertently configure AGENT_WALLET_PRIVATE_KEY (static mode) without understanding they've recreated the exact threat model the product claims to solve.

Code

<!-- docs/Agent-Wallet/FAQ.md -->
| | `local_secure` | `raw_secret` |
| :--- | :---: | :---: |
| **Key encryption** | ✅ Strong encryption | ❌ Plaintext |
| **If an agent reads the file** | ✅ Key is inaccessible | ❌ Stolen instantly |
| **Use case** | ✅ All scenarios | ⚠️ Fully isolated dev environments only |

**Always use `local_secure`** unless you're 100% certain no other agent is running on that machine.

<!-- docs/Agent-Wallet/Developer/SDK-Cookbook.md — Prerequisites section -->
3. Set `AGENT_WALLET_PASSWORD` (local `local_secure` mode) or `AGENT_WALLET_PRIVATE_KEY` (static mode)

Recommendation

Add a :::danger admonition wherever raw_secret / static mode (AGENT_WALLET_PRIVATE_KEY) is mentioned. In the Cookbook prerequisites, either (a) remove the static-mode option entirely and direct readers to the Quick Start for wallet setup, or (b) wrap it in an explicit danger block:

:::danger Static mode exposes your private key as plaintext
`AGENT_WALLET_PRIVATE_KEY` stores your key unencrypted in an environment variable — the exact exposure `local_secure` mode is designed to prevent. Only use this in a fully isolated, offline test environment with no other processes running.
:::

Minor

[MN-01] `--save-runtime-secrets` Flag Caches Master Password in Plaintext

Property	Value
Severity	Minor
Category	Security / Documentation
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : Method B section

Description

The --save-runtime-secrets feature persists the master password in plaintext to ~/.agent-wallet/runtime_secrets.json. The documentation uses a :::danger callout, which is appropriate, but the feature is still presented as a valid "Method B" — a "Set and Forget" solution — alongside the safer environment variable approach. Given that the product's security model relies on the physical-file + password separation, caching the password on disk alongside the wallet file completely defeats the dual-lock model.

Code

### Method B: Local Password Cache (True "Set and Forget")
...
agent-wallet sign msg "Hello" -n tron -p "Abc12345!" --save-runtime-secrets

:::danger Security Warning
`runtime_secrets.json` stores your master password in **plaintext**. Any program with access
to your file system can read it directly.
:::

Recommendation

Consider demoting this to an appendix or "Advanced / Dangerous" section rather than presenting it as a numbered method equivalent to the environment variable approach. Alternatively, add a note explicitly stating that this negates the dual-lock security model:

:::danger This disables the dual-lock protection
Caching the password next to the wallet file means a single file system compromise grants full access to funds — defeating the core security model of Agent-wallet. Use only for throwaway test wallets.
:::

[MN-02] Inline `-p` Password Flag Documented Without Discouraging Shell History Exposure

Property	Value
Severity	Minor
Category	Security / Documentation
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : Method C section

Description

Method C documents passing the master password inline via -p "Abc12345!". The accompanying :::danger callout correctly warns that the password will appear in shell history, but the same -p flag is also used without any warning in the agent-wallet start command examples at the top of the file (e.g., agent-wallet start -p Abc12345!). A user following the "Basic Commands" section first will not see the history warning until they reach Method C further down.

Code

<!-- Top of CLI-Reference.md — no warning here -->
**Custom password:**
```bash
agent-wallet start -p Abc12345!

:::danger Security Warning
When using -p to pass the password inline, the plaintext password is permanently
recorded in your terminal's history.
:::


**Recommendation**

Add a `:::caution` note immediately after the first `agent-wallet start -p` example near the top of the file, pointing to the password configuration section:

```markdown
:::caution Shell history risk
Passing `-p` inline records the password in your terminal history. For production wallets,
prefer setting `AGENT_WALLET_PASSWORD` as an environment variable — see [Password Configuration](#password-configuration).
:::

[MN-03] `update-mcp-server` Branch Trigger Remains in CI After Merge

Property	Value
Severity	Minor
Category	Compatibility / CI
File	`.github/workflows/docker.yml` : Lines 8, 14

Description

The docker.yml workflow was updated to trigger on push and pull_request events for the update-mcp-server branch. This is appropriate while the PR is in development, but once this branch is merged into main, the update-mcp-server branch trigger becomes dead weight. More importantly, if another developer creates a branch named update-mcp-server in the future, it will inadvertently trigger CI builds and Docker Hub pushes.

Code

on:
  push:
    branches:
      - main
      - master
      - update-mcp-server   # <-- should be removed post-merge
  pull_request:
    branches:
      - main
      - master
      - update-mcp-server   # <-- should be removed post-merge

Recommendation

Remove the update-mcp-server branch from both push and pull_request triggers in a follow-up commit immediately after this PR is merged:

on:
  push:
    branches:
      - main
      - master
  pull_request:
    branches:
      - main
      - master
  workflow_dispatch:

[MN-04] Potentially Unresolved Cross-Link in `QuickStart.md`

Property	Value
Severity	Minor
Category	Documentation
File	`docs/Agent-Wallet/QuickStart.md` : Step 3 section

Description

QuickStart.md references ../Openclaw-extension/QuickStart.md in the Step 3 callout. A docs/Openclaw-extension/QuickStart.md file was not included in this PR's diff, nor is it visible in the changed files stat. If this file does not exist on the main branch either, Docusaurus will generate a broken link warning at build time (or a 404 at runtime if warnings are suppressed).

Code

:::info Haven't installed OpenClaw Extension yet?
Head to [OpenClaw Extension Quick Start](../Openclaw-extension/QuickStart.md) first, then come back here.
:::

Recommendation

Verify whether docs/Openclaw-extension/QuickStart.md exists on the merged main branch. If it does not exist, either:

Replace the link with the existing docs/Openclaw-extension/Intro.md, or
Create a stub QuickStart.md in a follow-up PR.

Run yarn build (or docusaurus build) locally before merge to surface any broken-link errors.

Suggestions

[S-01] Commit Messages Are Non-Descriptive

File: .github/ / all changed files
Description: All 23 commits in this branch use generic messages ("fix", "update", "fiix"). This makes it impossible to trace which commit introduced which change when debugging regressions or doing git bisect.
Suggestion: Establish a commit message convention (e.g., Conventional Commits: docs(agent-wallet): add CLI reference) and apply it going forward. The existing history cannot be changed without a rebase, but this is worth addressing in future branches.

[S-02] i18n English Locale `current.json` Not Updated

File: i18n/en/docusaurus-plugin-content-docs/current.json
Description: The zh-Hans locale current.json was updated to add the "Explore Further" → "进一步探索" label. The English locale current.json does not appear to have a corresponding "Explore Further" entry added. Depending on Docusaurus configuration, this may result in the "Explore Further" sidebar category rendering without a translated label in the English locale.
Suggestion: Verify whether the English current.json requires an explicit entry for the "Explore Further" label, and add it if so:

"sidebar.docsSidebar.category.Explore Further": {
  "message": "Explore Further",
  "description": "The label for category Explore Further in sidebar docsSidebar"
}

[S-03] `OpenClaw Extension QuickStart` Link in `Intro.md` Points to `.md` Extension

File: docs/Agent-Wallet/Intro.md
Description: The cross-link [OpenClaw Extension](../Openclaw-extension/Intro.md) uses a .md file extension. In Docusaurus, internal links can use either the .md extension or the bare path. Consistency with the rest of the codebase is preferable.
Suggestion: Audit whether the project convention omits .md in cross-links (e.g., ./QuickStart vs ./QuickStart.md) and normalise the new Agent Wallet docs accordingly.

[S-04] `bankofai-recharge` Link in `Openclaw-extension/Intro.md` Points to MCP Endpoint URL Instead of Docs

File: docs/Openclaw-extension/Intro.md
Description: The bankofai-recharge entry was changed from plain text to a hyperlink pointing to https://recharge.bankofai.io/mcp — the live MCP endpoint URL, not a documentation page. Users clicking this link would receive a raw MCP API response, not a human-readable page.
Suggestion: Either link to a dedicated documentation page for the recharge MCP (if one exists or will be created), or revert to plain text / a link to the bankofai.io main site, and keep the endpoint URL only in the description column:

| **bankofai-recharge** | BANK OF AI (Remote) | Remote recharge MCP — top up your BANK OF AI account via on-chain USDT. Default endpoint: `https://recharge.bankofai.io/mcp` |

Positive Observations

Area	Observation
Security — CI	The removal of the `Debug Docker Hub secrets` step eliminates a long-standing security anti-pattern where the Docker Hub token length (and username) were printed to publicly viewable build logs on every non-PR push.
Security — Documentation	`QuickStart.md` includes an excellent `:::tip Why not use the echo command?` callout explaining that shell history files are scanned by backup utilities and AI assistants — directly relevant to the product's threat model.
Security — Documentation	The password single-quote guidance (`'P@ss$w0rd!'` vs `"P@ss$w0rd!"`) throughout the changed MCP docs correctly prevents silent shell expansion of `$` characters in passwords. This change was applied consistently across both SUN and TRON deployment docs.
Documentation — DRY	Replacing verbose inline Agent Wallet setup instructions in MCP docs with concise sentences + internal links is the correct approach. It reduces maintenance burden and ensures users always see up-to-date instructions.
Documentation — Structure	The new Agent Wallet section is well-layered: security pitch (Intro) → zero-friction onboarding (QuickStart) → full reference (CLI/SDK) → FAQs. The routing table at the bottom of each doc ("I want to… → Go here") is an excellent UX pattern for multi-audience documentation.
Documentation — Completeness	The SDK Cookbook provides complete, runnable end-to-end examples (TRON transfer, BSC transfer, x402 payment) including error handling, dependency installation, and expected output — significantly above the minimum bar for API documentation.
i18n	The zh-Hans locale is kept in sync with all new and modified English content in the same PR, avoiding documentation drift between languages.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	5	5	0	3	No logic errors in config/sidebar changes; doc cross-links mostly correct (see MN-04)
Security	8	6	2	0	`raw_secret` exposure (MJ-01), plaintext password cache (MN-01); positive: debug secret step removed
Performance	7	7	0	0	Documentation-only changes; no performance impact
Code Quality	8	6	0	2	Commit message quality (S-01); internal link style inconsistency (S-03) flagged as suggestions
Testing	5	2	0	3	No automated link-checking present; docs build should be verified before merge (MN-04)
Documentation	6	6	0	0	Comprehensive; minor i18n gap (S-02) and broken external link (S-04) as suggestions
Compatibility	5	4	1	0	CI branch trigger should be cleaned up post-merge (MN-03)
Observability	4	4	0	0	N/A for docs changes; CI workflow change is observable

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between the specified branches (main...update-mcp-server). Runtime behavior, integration testing, and deployment impact are not covered.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-22

github-actions · 2026-03-23T07:49:26Z

Code Review Report

Project: x402-tron/docs (BankOfAI Documentation)
PR: main → update-mcp-server
Review Date: 2026-03-23
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	34
Files Changed	36
Lines Added	+4,904
Lines Removed	-905

Commit History (Recent)

Hash	Message
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet
`1ec9118`	fix
`4dff899`	fix new major audio issues
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal
`b92448f`	fix audio new issues
`ee9c759`	fix audio issues

Review Summary

Verdict

Verdict: Approve with Minor Issues

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	0	7	5

Summary

This PR introduces a significant documentation expansion: a brand-new Agent Wallet section (six new files) covering introductory concepts, quick-start guidance, CLI reference, SDK guide, cookbook, and FAQ. It also substantially rewrites the SKILLS documentation for a more user-friendly, prompt-driven format, and fixes several pre-existing security issues in the MCP server documentation.

The overall quality of this PR is high. The most impactful changes — removing echo $AGENT_WALLET_PASSWORD from troubleshooting guides and stripping a debug CI step that printed Docker Hub credentials — are straightforward, correct security fixes. The switch from double to single quotes for sensitive export commands is applied consistently, and the AGENT_WALLET_DIR path bug ("~/.agent-wallet" → "$HOME/.agent-wallet") is correctly resolved.

Minor concerns centre on: a documented --save-runtime-secrets feature that stores the master password in plaintext; a workflow_dispatch comment that could mislead readers; a content-to-filename mismatch in BANKOFAISkill.md; and a gap where the agent-wallet reset command is referenced across multiple FAQ pages but its anchor may not exist in the CLI Reference's basic commands section. None of these are blocking issues, but the items below should be addressed before the next major release.

Change Summary

1. CI/CD Workflow Update

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Branch trigger updated; debug credentials step removed; `workflow_dispatch` comment added

Purpose: Replace the stale ai-bankofai-patch-1 branch trigger with update-mcp-server; eliminate a debug step that printed DOCKERHUB_USERNAME and the token length to CI logs; add an explanatory comment to workflow_dispatch.

2. Project Version Bump

File	Change Type	Description
`package.json`	Modified	Version 1.2.3 → 1.2.4

Purpose: Increment the minor version to reflect this documentation release.

3. Sidebar Navigation Updates

File	Change Type	Description
`sidebars.js`	Modified	Added `McpServer-Skills/SKILLS/QuickStart`; added full `Agent Wallet` category with nested `Explore Further` group
`i18n/en/…/current/sidebars.js`	Modified	Mirror of above

Purpose: Wire up the new Agent Wallet documentation and the new SKILLS QuickStart page into the site navigation.

4. New Agent Wallet Documentation (6 new files)

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	High-level security rationale, how it works, audience-segmented on-ramps
`docs/Agent-Wallet/QuickStart.md`	Added	Three-step end-to-end guide for non-technical users
`docs/Agent-Wallet/FAQ.md`	Added	Top user questions: safety, offline signing, forgotten password, encryption details
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Full command reference: start, sign, add, list, use, remove, reset, non-interactive modes
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript/Python SDK integration walkthrough
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end code samples: TRON transfers, BSC transfers, x402 payment signing
(i18n mirrors)	Added	Same set mirrored under `i18n/en/docusaurus-plugin-content-docs/current/Agent-Wallet/`

Purpose: Introduce comprehensive documentation for the Agent Wallet product, covering installation, wallet management, signing operations, and SDK usage across TypeScript and Python.

5. MCP Server Documentation — Security & Accuracy Fixes

File	Change Type	Description
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Replaced `echo $AGENT_WALLET_PASSWORD` with safe no-print check; replaced `rm -rf ~/.agent-wallet/ + agent-wallet start` with `agent-wallet reset`; single-quote fixes; added links to new Agent Wallet docs
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Deferred Agent Wallet install instructions to new docs; fixed `AGENT_WALLET_DIR` tilde expansion bug; single-quote fix
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Same password-print and reset-command fixes; condensed to prose; added links to new Agent Wallet docs
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Same as SUN equivalent
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Hyperlinked `list_wallets` and `select_wallet` descriptions to Agent Wallet intro
(i18n mirrors)	Modified	Same set mirrored

Purpose: Fix several pre-existing security issues in the MCP server docs; link new Agent Wallet documentation; modernise reset instructions.

6. SKILLS Documentation Rewrite

File	Change Type	Description
`docs/McpServer-Skills/SKILLS/Intro.md`	Modified	Rewritten from technical skill-structure explanation to user-friendly product introduction
`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md`	Modified	Rewritten from credential-focused setup guide to prompt-driven skill catalog
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Reorganised by user urgency (troubleshooting first, concepts last); safety Q&A expanded
`docs/McpServer-Skills/SKILLS/QuickStart.md`	Added	New 2-step install + first-run guide for non-technical users
(i18n mirrors)	Modified/Added	Same set mirrored

Purpose: Shift the SKILLS documentation from developer-oriented technical reference to user-first onboarding material; add an explicit quick-start path.

Detailed Findings

Minor

[MN-01] `--save-runtime-secrets` Caches Master Password in Plaintext — Danger Warning Needs Reinforcement

Property	Value
Severity	Minor
Category	Security / Documentation
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : Method B section

Description
The CLI Reference documents a --save-runtime-secrets flag that writes the master password to ~/.agent-wallet/runtime_secrets.json in plaintext. A :::danger admonition is present, but the feature is framed as a "convenience vs. security trade-off" — language that underplays the severity. For a product whose primary value proposition is the dual-lock security model, documenting a flag that silently tears down both locks creates a discoverability risk: a user who skims the heading without reading the warning may enable it on a real-funds wallet.

Code

### Method B: Local Password Cache (Convenience vs. Security Trade-off)

After running a command once with the `--save-runtime-secrets` flag, the password
is permanently cached in a local file (`~/.agent-wallet/runtime_secrets.json`).

Recommendation
Replace the neutral framing ("Convenience vs. Security Trade-off") with an unambiguous scope restriction in the section heading and opening sentence, e.g.:

### Method B: Local Password Cache (Throwaway Test Wallets Only)

> **Do not use for wallets holding real funds.** This flag writes your master
> password to `~/.agent-wallet/runtime_secrets.json` in plaintext, permanently
> defeating Agent-wallet's dual-lock security model.

Also consider adding --save-runtime-secrets to a "flags to avoid" table at the top of the CLI Reference so it surfaces before a user reaches the detailed description.

[MN-02] Inline `-p` Flag in CLI Examples Leaks Password to Shell History — Warning Is in the Wrong Section

Property	Value
Severity	Minor
Category	Security / Documentation
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : Method C section

Description
The shell-history risk of passing passwords via -p is documented in Method A (environment variable section), but Method C ("Inline -p Flag") uses agent-wallet start -p Abc12345! as its primary example without repeating the warning. A reader who jumps directly to Method C — the most ergonomic option — will not encounter the caution.

Code

agent-wallet sign msg "Hello" -n eip155:56 -w my-bsc-wallet -p 'Abc12345!'

Recommendation
Add a concise :::caution block at the top of the Method C section:

:::caution Shell history exposure
Passing `-p` inline records the password in your terminal's history file
(`.zsh_history` / `.bash_history`). Use this method for one-off commands only —
never in scripts, CI pipelines, or shared terminals.
:::

[MN-03] `workflow_dispatch` Comment Is Misleading

Property	Value
Severity	Minor
Category	Documentation / Code Quality
File	`.github/workflows/docker.yml` : line 13

Description
The PR adds the comment # Intentionally unrestricted — allows manual builds from any branch for flexibility to workflow_dispatch. This implies a deliberate architectural choice, but workflow_dispatch without a branches filter is simply the GitHub Actions default — no special configuration was made. The comment may mislead a future maintainer into thinking that removing it would also add a restriction, or that some explicit opt-out of branch filtering was applied.

Code

  workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

Recommendation
Either remove the comment (the default behaviour is already well-documented by GitHub) or replace it with a more precise statement:

  workflow_dispatch: # No branch filter — GitHub default; allows manual triggers from any branch

[MN-04] `BANKOFAISkill.md` Filename No Longer Matches Page Title

Property	Value
Severity	Minor
Category	Code Quality / Documentation
File	`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md` : Line 1

Description
The file was renamed from the heading "BANK OF AI Skills" to "Skill Catalog", but the file itself was not renamed. The URL slug generated by Docusaurus will remain /McpServer-Skills/SKILLS/BANKOFAISkill, which conflicts with the displayed page title "Skill Catalog". This creates a confusing breadcrumb and URL for users, and makes it harder to discover via search.

Code

-# BANK OF AI Skills
+# Skill Catalog

Recommendation
Rename the file to SkillCatalog.md (or skill-catalog.md) and update all references in sidebars.js, i18n/en/…/sidebars.js, and any cross-links in other docs. Alternatively, add slug: BANKOFAISkill as explicit Docusaurus front matter to preserve the URL while using the new title.

[MN-05] `agent-wallet reset` Anchor May Not Resolve in CLI Reference

Property	Value
Severity	Minor
Category	Documentation
File	`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`, `docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`, `docs/Agent-Wallet/FAQ.md`

Description
Three separate FAQ files link to ../../../Agent-Wallet/Developer/CLI-Reference#agent-wallet-reset-reset-all-data. However, the CLI Reference diff reviewed does not show an agent-wallet reset section in the basic commands area — the visible diff covers start, sign, add, list, use, inspect, remove, and the non-interactive execution methods, but a dedicated reset heading with the exact slug agent-wallet-reset-reset-all-data is not confirmed. If the anchor is missing, all three deep links will silently land at the top of the CLI Reference page rather than the relevant section, creating a confusing experience for users in exactly the crisis situation (lost password, wallet corruption) where they need the most direct help.

Code

Run `agent-wallet reset` to wipe and start over — see
[CLI Reference → Reset](../../../Agent-Wallet/Developer/CLI-Reference#agent-wallet-reset-reset-all-data)

Recommendation
Verify that docs/Agent-Wallet/Developer/CLI-Reference.md contains a heading that generates the anchor agent-wallet-reset-reset-all-data (e.g., ## \agent-wallet reset` (Reset All Data)`). If not, add the section or correct the anchor slug in all three FAQ files.

[MN-06] SKILLS QuickStart Install Script Uses Unverified `curl | bash`

Property	Value
Severity	Minor
Category	Security / Documentation
File	`docs/McpServer-Skills/SKILLS/QuickStart.md` : Step 1

Description
The primary installation method instructs users to run curl -fsSL https://raw.githubusercontent.com/BofAI/openclaw-extension/refs/heads/main/install.sh | bash. This fetches and executes arbitrary shell code from a dynamic branch reference (refs/heads/main), without any integrity check (e.g., a checksum or a pinned commit SHA). A supply-chain compromise of the main branch of openclaw-extension would silently affect all users following these instructions. An alternative git-clone path is documented but is presented as secondary.

Code

curl -fsSL https://raw.githubusercontent.com/BofAI/openclaw-extension/refs/heads/main/install.sh | bash

Recommendation
Either pin the URL to a versioned tag or commit SHA (preferred), or promote the git-clone-inspect path as the primary method:

# Recommended (inspect before running)
git clone https://github.com/BofAI/openclaw-extension.git
cat openclaw-extension/install.sh   # inspect first
bash openclaw-extension/install.sh

If a dynamic URL is intentional, document that users should run curl ... | cat first and review the script before executing.

[MN-07] SKILLS Intro.md Removes Technical Skill-Structure Documentation

Property	Value
Severity	Minor
Category	Documentation
File	`docs/McpServer-Skills/SKILLS/Intro.md`

Description
The original Intro.md contained a well-structured explanation of what a Skill file looks like (directory layout, SKILL.md frontmatter schema, scripts/, resources/, package.json). This was the canonical reference for developers wanting to create their own Skills. The rewrite replaces this entirely with a product-marketing introduction aimed at end users. The technical reference is not replicated in BANKOFAISkill.md or any other new file in this PR.

Code (removed)

## What Does a Skill Look Like?
A Skill is a folder with a very simple structure:
| File/Directory | Purpose | Required? |
| `SKILL.md` | Core instruction document | **Yes** |
| `scripts/` | Executable scripts | Optional |
| `resources/` | Reference data | Optional |
| `package.json` | npm dependency declaration | Optional |

The top of `SKILL.md` contains YAML Frontmatter...

Recommendation
Add a new Developer/Creating-Skills.md page (or add a "For Developers" section to BANKOFAISkill.md) that preserves the Skill authoring reference — file structure, SKILL.md frontmatter schema, and the guidance on name/description for AI matching. Wire it up in sidebars.js under a collapsed developer sub-section.

Suggestions

[S-01] Add Version Front Matter to New Agent Wallet Docs

File: All 6 new docs/Agent-Wallet/ files
Description: None of the new files include Docusaurus front matter (e.g., sidebar_position, description, keywords). Adding minimal front matter would improve SEO and sidebar ordering reliability.
Suggestion:

---
sidebar_position: 1
description: "Learn how Agent-wallet protects your private keys with a dual-lock encryption model."
keywords: [agent-wallet, private key, encryption, TRON, AI agent]
---

[S-02] TypeScript SDK `TextEncoder` Usage Should Be Verified Against Actual API

File: docs/Agent-Wallet/Intro.md : Developer path section
Description: The TypeScript SDK example in Intro.md passes new TextEncoder().encode("Hello!") (a Uint8Array) to wallet.signMessage(). Most blockchain signing SDKs accept a string or Uint8Array for raw-bytes signing, but if the SDK's signMessage is designed to follow EIP-191 personal sign semantics (which prepends a standard prefix), passing a Uint8Array could produce a different signature than a user expects.
Suggestion: Confirm the SDK interface accepts Uint8Array directly and that this produces the same result as wallet.signMessage("Hello!"). Update the example to match the primary supported usage pattern, and add a comment explaining when to use TextEncoder vs. a plain string.

[S-03] `McpServer-Skills/Intro.md` Should Reference the New SKILLS QuickStart

File: i18n/en/docusaurus-plugin-content-docs/current/McpServer-Skills/Intro.md
Description: The diff shows McpServer-Skills/Intro.md was modified (8 lines changed). The SKILLS section now has a QuickStart page but it's not clear whether McpServer-Skills/Intro.md links to it. If the top-level MCP intro page doesn't reference the new SKILLS QuickStart, new users may miss the fastest on-ramp.
Suggestion: Ensure McpServer-Skills/Intro.md (both the main and i18n version) contains a direct link to McpServer-Skills/SKILLS/QuickStart.

[S-04] Document Agent Wallet Version Compatibility Requirements

File: docs/Agent-Wallet/Intro.md, docs/Agent-Wallet/QuickStart.md
Description: The docs mention npm install -g @bankofai/agent-wallet but do not specify a minimum version of the package required to support agent-wallet reset, agent-wallet start (vs. the older agent-wallet init), and the --save-runtime-secrets flag. Users with older installations may hit unexpected errors when following new docs.
Suggestion: Add a callout noting the minimum @bankofai/agent-wallet version required for the features documented in this PR, and add agent-wallet --version to the verification step.

[S-05] SKILLS/Faq.md Credentials Configuration Now Only References Agent Wallet — Should Also Cover Fallback

File: docs/McpServer-Skills/SKILLS/Faq.md
Description: The old FAQ had a clear export TRON_PRIVATE_KEY="your_private_key" section. The new FAQ focuses on Agent Wallet as the recommended path, with the plaintext key setup delegated to a link in BANKOFAISkill.md. Users who cannot or choose not to use Agent Wallet (e.g., in CI environments without a wallet file) may not find the plaintext-key fallback easily. The FAQ currently has no answer for "How do I set a raw TRON_PRIVATE_KEY?"
Suggestion: Add a brief "I want to use a raw private key instead" entry that links directly to the relevant section of the Local Deployment docs or BANKOFAISkill quick-start, so users on both paths can self-serve from the FAQ.

Positive Observations

Area	Observation
Security: password echo fix	Replacing `echo $AGENT_WALLET_PASSWORD` with `[[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "set" \|\| echo "not set"` across all FAQ pages is the correct fix for the prior audit finding. Consistently applied in both SUN and TRON MCP FAQs.
Security: CI debug step removal	Removing the `Debug Docker Hub secrets` step that printed `echo "username=[$DOCKERHUB_USERNAME]"` to CI logs eliminates a credential exposure risk.
Security: single-quote hygiene	Switching all sensitive `export` commands from double quotes to single quotes (`'your_password'`) is correct and consistently applied. It prevents shell expansion of `$`, `!`, and backtick characters in passwords.
Security: AGENT_WALLET_DIR tilde fix	Changing `"~/.agent-wallet"` to `"$HOME/.agent-wallet"` correctly fixes tilde expansion in double-quoted strings. Tilde expansion does not occur inside double quotes in POSIX shells.
UX: three-tier audience design	`Agent-Wallet/Intro.md` segments users into casual / CLI / developer paths with distinct entry points. This is excellent information architecture for a product with a wide skill-range audience.
UX: prompt-driven skill catalog	Replacing code-block command examples with copy-pasteable natural language prompts in `BANKOFAISkill.md` significantly lowers the barrier to entry for non-technical users.
Documentation: cross-linking	The new Agent Wallet docs are thoroughly cross-linked from existing MCP Server and SKILLS docs. Deep links to specific anchors (e.g., `CLI-Reference#non-interactive-execution`) are well-targeted.
Documentation: admonition usage	:::danger, :::warning, :::caution, and :::tip admonitions are used accurately and consistently to signal severity levels throughout the new Agent Wallet section.
Safety: Three Golden Rules preserved	The new `BANKOFAISkill.md` preserves all three original safety rules (no private keys in chat, testnet first, explicit confirmation for write ops) in a more readable numbered format. No safety information was dropped.
Documentation: `runtime_secrets.json` permissions	The CLI Reference notes that `runtime_secrets.json` is automatically created with `600` permissions and advises users to verify permissions after manual moves/copies. This is a useful operational detail.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	6	5	1	0	MN-05: `agent-wallet reset` anchor unverified
Security	8	6	2	0	MN-01 (`--save-runtime-secrets` framing), MN-02 (Method C missing warning)
Performance	3	3	0	3	N/A for documentation
Code Quality	5	3	2	0	MN-03 (misleading comment), MN-04 (filename mismatch)
Testing	2	2	0	5	N/A for documentation
Documentation	6	4	2	0	MN-06 (unverified curl\|bash), MN-07 (lost technical reference)
Compatibility	3	2	1	0	S-04: no version requirements stated
Observability	2	2	0	5	N/A for documentation

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analysed only the diff between main and update-mcp-server. Runtime behaviour, integration testing, and deployment impact are not covered. Specifically: link anchors (MN-05) and SDK API signatures (S-02) should be manually verified by a developer with access to the Agent Wallet source.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-23

github-actions · 2026-03-23T08:52:15Z

Code Review Report

Project: BofAI Docs (x402-tron/docs)
PR: main -> update-mcp-server
Review Date: 2026-03-23
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	34
Files Changed	36
Lines Added	+4,927
Lines Removed	-901

Commit History (Recent)

Hash	Message
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet
`1ec9118`	fix
`4dff899`	fix new major audio issues
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal
`b92448f`	fix audio new issues
`ee9c759`	fix audio issues

Review Summary

Verdict

Verdict: Request Changes

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	2	4	3

Summary

This PR is a significant documentation expansion adding a complete Agent-Wallet section (6 new pages in both English and Chinese), rewriting the SKILLS documentation, and adding a new SKILLS QuickStart page. It also makes a crucial CI security fix (removing a step that leaked Docker Hub credentials to CI logs) and improves environment variable handling guidance across MCP Server docs (switching from double quotes to single quotes for passwords, replacing echo $AGENT_WALLET_PASSWORD with a safe check command).

The overall quality is high — content is comprehensive, well-structured, and security-conscious in its intent. However, two major issues undermine the stated security goals: the new SKILLS/QuickStart.md advises double-quoted TRON_PRIVATE_KEY (opposite to what the rest of the PR corrects elsewhere), and there is a Node.js version requirement inconsistency (≥18 vs ≥20) spread across the new documentation that will confuse users and could cause silent install failures.

Change Summary

1. CI Workflow Security Fix

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Removed credential-leaking debug step; updated branch trigger from `ai-bankofai-patch-1` to `update-mcp-server`

Purpose: Eliminates a CI step that was echoing DOCKERHUB_USERNAME and the character-length of DOCKERHUB_TOKEN to publicly visible GitHub Actions logs.

2. New Agent-Wallet Documentation (English + Chinese)

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Security architecture overview and threat model
`docs/Agent-Wallet/QuickStart.md`	Added	Three-step user onboarding guide
`docs/Agent-Wallet/FAQ.md`	Added	20+ Q&A covering security, installation, usage
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Full CLI command reference with security cautions
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript and Python SDK integration guide
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end code examples: TRON transfer, BSC/EVM transfer, x402 PaymentPermit
(Chinese mirrors)	Added	Full i18n translation of all above pages

Purpose: Introduces Agent-Wallet as the recommended credential management approach, replacing plaintext private key usage patterns referenced in older docs.

3. Updated MCP Server Documentation

File	Change Type	Description
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Replaced `echo $AGENT_WALLET_PASSWORD` with safe check; added links to Agent-Wallet docs; updated wallet reset procedure
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Replaced inline installation steps with link to Agent-Wallet docs; fixed env var quoting; fixed `AGENT_WALLET_DIR` tilde expansion bug
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Same pattern as SUN; fixed `agent-wallet init` → `agent-wallet start` command name
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Same as SUN
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Added hyperlinks from tool list to Agent-Wallet docs

Purpose: Standardizes credential handling guidance, links to the new Agent-Wallet documentation, and fixes previously dangerous instructional patterns.

4. Rewritten Skills Documentation

File	Change Type	Description
`docs/McpServer-Skills/SKILLS/Intro.md`	Modified	Complete rewrite from technical reference to marketing-style introduction
`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md`	Modified	Rewritten as a user-friendly skill catalog with sample prompts
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Reorganized by urgency; added security incident response guidance
`docs/McpServer-Skills/SKILLS/QuickStart.md`	Added	New 2-step quick start guide for the skills system

Purpose: Shifts documentation from developer-focused technical reference to beginner-friendly onboarding content.

5. Navigation and Package Updates

File	Change Type	Description
`sidebars.js`	Modified	Added Agent Wallet category; added SKILLS QuickStart
`i18n/zh-Hans/.../sidebars.js`	Modified	Same, with Chinese label
`i18n/zh-Hans/.../current.json`	Modified	Added "进一步探索" i18n key
`package.json`	Modified	Version bump 1.2.3 → 1.2.4

Detailed Findings

Major

[MJ-01] Inconsistent Quoting Advice for `TRON_PRIVATE_KEY` Creates Security Vulnerability

Property	Value
Severity	Major
Category	Security / Documentation
File	`docs/McpServer-Skills/SKILLS/QuickStart.md` : Lines 3272–3274, 3281–3283 (diff)

Description

The new SKILLS/QuickStart.md "Option 2: Paste Your Private Key Directly" instructs users to use double quotes for TRON_PRIVATE_KEY:
export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"
It also notes: "⚠️ Important: Don't forget the double quotes on both sides!" — effectively telling users double quotes are required.

This directly contradicts the security fix made elsewhere in the same PR. The MCP Server FAQ files were changed from double quotes to single quotes precisely because special characters (like $) in a private key string will be silently shell-expanded when wrapped in double quotes, corrupting the value. With double quotes, a key fragment like $abc gets replaced by the value of shell variable $abc, which is typically empty — the resulting key loads silently as a wrong, shorter value and may sign with the wrong key or fail in non-obvious ways.

A private key is a random 64-character hex string; while it's unlikely to contain $, it is not impossible and future guidance may use keys/mnemonics that do contain such characters. More importantly, the Chinese translation of this same file mirrors the same double-quote instruction, amplifying the inconsistency.

Code

+   export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"
+   ⚠️ Important: Don't forget the double quotes on both sides!

Compare to the fix made elsewhere in this PR:

-export AGENT_WALLET_PASSWORD="your_password"
+export AGENT_WALLET_PASSWORD='your_password'

Recommendation

Change both instances (Mac and WSL) in SKILLS/QuickStart.md to use single quotes, and update the warning text:

export TRON_PRIVATE_KEY='your_real_or_testnet_private_key'
# ✅ Single quotes prevent the shell from expanding any special characters

Apply the same fix to i18n/zh-Hans/.../current/McpServer-Skills/SKILLS/QuickStart.md.

[MJ-02] Node.js Version Requirement Inconsistency Across New Documentation

Property	Value
Severity	Major
Category	Correctness / Documentation
File	`docs/McpServer-Skills/SKILLS/Faq.md` : Line 2682 (diff) vs `docs/Agent-Wallet/Developer/SDK-Guide.md` : Line 924 (diff)

Description

The new documentation contains contradictory minimum Node.js version requirements:

SKILLS/Faq.md (new content, "Installation failed" section): "Skills require v20 or higher."

Agent-Wallet/Developer/SDK-Guide.md (new file): "Requires Node.js ≥ 18."

Agent-Wallet/QuickStart.md (new file): "Node.js (a runtime environment, version >= 18)"

Agent-Wallet/FAQ.md (new file): "As long as you can run Node.js >= 18 ... you're good to go."

Users following the Skills FAQ will install Node.js 20+. Users following the Agent-Wallet docs will install Node.js 18. When a Node.js 18 user then tries to run skills (which require v20), the failure will be cryptic because the QuickStart explicitly told them v18 was sufficient. This creates a confusing, inconsistent experience that undermines trust in the documentation.

Code

<!-- SKILLS/Faq.md -->
Run `node --version` in your terminal. Skills require **v20 or higher**.

<!-- Agent-Wallet/Developer/SDK-Guide.md -->
Requires Node.js ≥ 18.

Recommendation

Audit the actual runtime requirements of the skills scripts and Agent-Wallet CLI, then set a single consistent minimum version across all documentation. If skills truly require v20, update Agent-Wallet docs to also require v20 (or document clearly that they have different requirements):

<!-- Consistent across all docs -->
Requires Node.js ≥ 20 (LTS). Check with: `node -v`

Minor

[MN-01] `AGENT_WALLET_DIR` Tilde Expansion Inconsistency — Partially Fixed

Property	Value
Severity	Minor
Category	Correctness
File	`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md` : Lines 2196–2199 (diff)

Description

The PR correctly fixes AGENT_WALLET_DIR="~/.agent-wallet" → AGENT_WALLET_DIR="$HOME/.agent-wallet" in both SUN and TRON deployment docs. Inside double-quoted strings, ~ is not expanded by the shell, so the old instruction set the variable to the literal string ~/.agent-wallet rather than the user's home directory path. The fix using $HOME is correct.

However, the new Agent-Wallet SDK Guide (SDK-Guide.md) still shows:
export AGENT_WALLET_DIR="$HOME/.agent-wallet"
This is actually correct (double-quoted $HOME is expanded). But for full consistency with the single-quote recommendations used for passwords throughout the new documentation, this could cause reader confusion — why are passwords single-quoted but directory paths double-quoted?

Recommendation

This is a minor consistency concern. No functional bug. Document a style guide comment inline or use the same quoting style throughout:
# $HOME needs to expand — double quotes are appropriate here
export AGENT_WALLET_DIR="$HOME/.agent-wallet"

[MN-02] `curl | bash` Installation Pattern Without Pinned Commit

Property	Value
Severity	Minor
Category	Security
File	`docs/McpServer-Skills/SKILLS/QuickStart.md` : Line 3183 (diff); `docs/McpServer-Skills/SKILLS/BANKOFAISkill.md` : removed section

Description

The new SKILLS/QuickStart.md promotes the installation command:
curl -fsSL https://raw.githubusercontent.com/BofAI/openclaw-extension/refs/heads/main/install.sh | bash
This fetches and executes the tip of the main branch directly. If the repository is ever compromised, users running this command receive and execute malicious code without any integrity check. The refs/heads/main pointer can change at any time.

This pattern existed in the old BANKOFAISkill.md and was not introduced by this PR. However, the PR rewrites SKILLS/QuickStart.md to make this the primary and most prominent installation method, elevating its exposure. Notably, the old BANKOFAISkill.md did include a "Method 2: check script before running" alternative; that alternative has been removed in the rewrite.

Recommendation

Either pin to a specific commit SHA, or restore the "inspect before running" alternative as a visible option:
# Inspect the script before running (recommended for security-conscious users)
curl -fsSL https://raw.githubusercontent.com/BofAI/openclaw-extension/refs/heads/main/install.sh -o install.sh
# Review install.sh, then:
bash install.sh

[MN-03] Stale Reference: `agent-wallet init` Removed from TRON FAQ but May Still Exist Elsewhere

Property	Value
Severity	Minor
Category	Correctness
File	`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md` : Line 2232 (diff)

Description

The PR correctly replaces agent-wallet init with agent-wallet reset (plus a new warning about data loss) in TRONMCPServer/FAQ.md. The old command agent-wallet init no longer exists in the current CLI (agent-wallet start creates wallets; agent-wallet reset wipes them). However, only the TRON FAQ was updated to reference agent-wallet reset; the SUN FAQ and the new CLI Reference use agent-wallet reset correctly. The fix is consistent across the changed files.

The risk is low but the CLI-Reference.md should be verified to not reference agent-wallet init anywhere. A quick scan of the new content confirms agent-wallet init does not appear in the new documentation, so this is informational only.

Recommendation

No immediate action needed. Add a note to documentation maintenance procedures: when CLI command names change, search the entire docs tree for old names.

[MN-04] Chinese Translation Still Uses Double Quotes for `TRON_PRIVATE_KEY`

Property	Value
Severity	Minor
Category	Security / Documentation
File	`i18n/zh-Hans/docusaurus-plugin-content-docs/current/McpServer-Skills/SKILLS/QuickStart.md` : Lines 6580–6582, 6589–6591 (diff)

Description

The Chinese translation of SKILLS/QuickStart.md mirrors the same double-quote instruction as [MJ-01]. Chinese-language users following the instructions export TRON_PRIVATE_KEY="你的真实或测试网私钥" are equally exposed to shell variable expansion issues.

Recommendation

Apply the same single-quote fix to the Chinese translation as recommended in [MJ-01].

Suggestions

[S-01] `workflow_dispatch` Comment Could Be More Specific

File: .github/workflows/docker.yml : Line 20 (diff)
Description: The comment # Intentionally unrestricted — allows manual builds from any branch for flexibility is clear about intent, but does not explain the security implication (anyone with write access can trigger a build from any branch, potentially triggering image pushes if secrets are available to the job).
Suggestion: Consider adding: # Note: manual trigger only pushes if DOCKERHUB_TOKEN secret is set; PRs do not have access to secrets.

[S-02] SDK-Cookbook `broadcastResult` Error Handling Could Throw

File: docs/Agent-Wallet/Developer/SDK-Cookbook.md : Lines 470–473 (diff)
Description: In the TRON Transfer TypeScript example, when broadcastResult.result is falsy, the code calls console.error(...) but does not throw or return an error. The function then reaches return signedTx.txID, returning a txID for a failed broadcast. Code that calls transferTRX() and checks the return value would incorrectly conclude the transfer succeeded.

if (broadcastResult.result) {
  console.log("Broadcast successful! txID:", signedTx.txID);
} else {
  console.error("Broadcast failed:", broadcastResult); // Does not throw!
}
return signedTx.txID; // Returns even on failure

Suggestion: Change to throw new Error(...) on broadcast failure. Since this is example/documentation code that users will copy directly, it should model best practices:

} else {
  throw new Error("Broadcast failed: " + JSON.stringify(broadcastResult));
}

[S-03] Python Cookbook Imports `asyncio` Inside a Function Body

File: docs/Agent-Wallet/Developer/SDK-Cookbook.md : Line 734 (diff)
Description: The BSC/EVM Python example has import asyncio inside the transfer_bnb function body (not at the top of the file). While this works in Python, it is non-idiomatic and will confuse readers who are new to Python. The comment "NOTE: This blocks the event loop..." is correct and useful, but users may copy only the function body into their own module and get a NameError: name 'asyncio' is not defined error because the import is scoped to the function.

Suggestion: Move import asyncio to the top of the file alongside the other imports to follow standard Python conventions.

Positive Observations

Area	Observation
Security — CI	The PR removes the `Debug Docker Hub secrets` CI step that was printing credential metadata to workflow logs — a real and impactful security fix.
Security — Password Display	Multiple docs replace `echo $AGENT_WALLET_PASSWORD` (which reveals the password in terminal output) with `[[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set"
Security — Quoting	Consistent upgrade from double quotes to single quotes for password environment variables across `SUNMCPServer` and `TRONMCPServer` docs reduces risk of shell expansion corrupting credentials.
Security — Password History	New Agent-Wallet docs include detailed warnings about shell history exposure for inline `-p` flags, and recommend editing `.zshrc`/`.bashrc` directly rather than running `echo "..." >>` to avoid recording secrets in history files.
Security — `raw_secret` Warnings	The new CLI Reference and Agent-Wallet docs consistently use `:::danger` callouts for `raw_secret` wallet type, making the security risk prominent and hard to miss.
Documentation Depth	SDK-Cookbook provides complete, runnable end-to-end examples (TRON transfer, EVM transfer, x402 payment) in both TypeScript and Python with proper error handling and inline explanatory comments.
UX — Beginner Onboarding	QuickStart pages follow a progressive disclosure pattern: zero-risk read-only operations first, then testnet, then mainnet — reducing the chance of accidental mainnet transactions.
Correctness — AGENT_WALLET_DIR	The fix from `"~/.agent-wallet"` to `"$HOME/.agent-wallet"` corrects a real shell expansion bug in the tilde-in-double-quotes pattern.
Documentation — Terminology	Replacing `agent-wallet init` (obsolete command) with `agent-wallet start` / `agent-wallet reset` throughout the changed docs eliminates a source of user confusion.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	6	4	2	0	Node.js version contradiction; broadcast-no-throw in cookbook example
Security	8	6	2	0	Double-quote TRON_PRIVATE_KEY; curl-main pipe
Performance	3	0	0	3	No runtime code changed — docs only
Code Quality	5	4	1	0	Python in-function import
Testing	2	0	0	2	No tests applicable — docs only
Documentation	6	5	1	0	Broken quoting recommendation in QuickStart
Compatibility	2	1	1	0	Node ≥18 vs ≥20 inconsistency
Observability	1	1	0	0	Safe password-check pattern added

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between the specified branches (main...update-mcp-server). Runtime behavior, integration testing, link validity, and deployment impact are not covered. All finding line numbers reference diff output positions, not final file line numbers.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-23

github-actions · 2026-03-23T09:38:09Z

Code Review Report

Project: x402-tron/docs
PR: main → update-mcp-server
Review Date: 2026-03-23
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	34
Files Changed	36
Lines Added	+4,926
Lines Removed	-901

Commit History (most recent)

Hash	Message
`6295071`	update skill intro
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet
`1ec9118`	fix
`4dff899`	fix new major audio issues
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD instructs users to print password
`b92448f`	fix audio new issues

Review Summary

Verdict

Verdict: Approve with Minor Suggestions

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	1	3	3

Summary

This PR introduces a substantial new Agent Wallet documentation section (six new files covering Intro, Quick Start, FAQ, CLI Reference, SDK Guide, and SDK Cookbook), expands the SKILLS documentation section with a new QuickStart page, rewrites the Intro and BANKOFAISkill catalog pages for improved accessibility, and updates all MCP Server documentation (TRON and SUN) to cross-reference the new Agent Wallet docs. A version bump (1.2.3 → 1.2.4) and sidebar navigation updates are also included.

The security posture of this PR is strongly net-positive. The most significant contribution is the removal of a Debug Docker Hub secrets CI step that was actively printing credentials to GitHub Actions logs — a serious but previously introduced vulnerability, now resolved here. Across the board, documentation examples have been corrected to use single quotes for sensitive environment variables (preventing silent shell expansion of passwords), echo $AGENT_WALLET_PASSWORD has been replaced with a non-revealing check, and rm -rf ~/.agent-wallet/ has been replaced with the safer agent-wallet reset command.

One Major finding stands out: the new SKILLS QuickStart page promotes an unverified curl | bash installation pattern without an integrity check, which introduces a supply-chain risk. The remaining findings are minor inconsistencies and a slightly misleading inline comment in the CI workflow.

Change Summary

1. CI/CD — GitHub Actions Workflow (`docker.yml`)

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Branch triggers updated; debug credentials step removed; `workflow_dispatch` comment added

Purpose: Align the Docker build trigger with the new update-mcp-server branch (replacing ai-bankofai-patch-1). Most critically, removes a debug step that printed Docker Hub credentials to CI log output.

2. Package Version & Sidebar Navigation

File	Change Type	Description
`package.json`	Modified	Version bump `1.2.3` → `1.2.4`
`sidebars.js`	Modified	Added `SKILLS/QuickStart` entry; added entire `Agent Wallet` category
`i18n/en/docusaurus-plugin-content-docs/current/sidebars.js`	Modified	Mirror of root `sidebars.js`
`i18n/en/docusaurus-plugin-content-docs/current.json`	Modified	Added four new `Agent-Wallet` doc entries

Purpose: Surface the new documentation sections in the rendered site navigation.

3. New Agent Wallet Documentation Section

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	New	Conceptual introduction, threat model, dual-lock security model
`docs/Agent-Wallet/QuickStart.md`	New	Step-by-step setup: install, configure env var, test in OpenClaw
`docs/Agent-Wallet/FAQ.md`	New	Answers to common questions including security, offline use, password loss
`docs/Agent-Wallet/Developer/CLI-Reference.md`	New	Full CLI reference including `start`, `sign`, `add`, `use`, `reset`
`docs/Agent-Wallet/Developer/SDK-Guide.md`	New	TypeScript/Python SDK integration guide
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	New	Ready-to-run code recipes for common signing scenarios
`i18n/en/…/Agent-Wallet/*`	New	English i18n mirrors of the above

Purpose: Provide complete standalone documentation for the @bankofai/agent-wallet package as an alternative to plaintext private keys.

4. Updated SKILLS Documentation

File	Change Type	Description
`docs/McpServer-Skills/SKILLS/Intro.md`	Modified	Rewritten with user-facing narrative; removed technical deep-dive
`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md`	Modified	Retitled "Skill Catalog"; restructured with sample prompts; links to Agent Wallet
`docs/McpServer-Skills/SKILLS/QuickStart.md`	New	Two-step installation guide with `curl \| bash` and fallback options
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Rewritten with user-facing Q&A; links to Agent Wallet docs

Purpose: Shift SKILLS docs from a developer-oriented reference toward an approachable onboarding experience.

5. Updated MCP Server Documentation (TRON & SUN)

File	Change Type	Description
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Updated Agent Wallet password-lost flow; now links to CLI Reference
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Consolidated Agent Wallet setup; links to new Agent Wallet docs
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	`list_wallets` and `select_wallet` now link to Agent Wallet Intro
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Replaced insecure troubleshooting steps with safe alternatives
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Same as TRON counterpart
`i18n/en/…/McpServer-Skills/*`	Modified	English i18n mirrors of the above

Purpose: Reduce documentation duplication by delegating Agent Wallet setup details to the new dedicated section; incorporate security improvements.

Detailed Findings

Major

[MJ-01] Unverified `curl | bash` Installation Script

Property	Value
Severity	Major
Category	Security
File	`docs/McpServer-Skills/SKILLS/QuickStart.md` : Lines 26–30

Description

The new SKILLS Quick Start page instructs all users — explicitly targeting beginners with no prior technical experience — to run a remote shell script directly via curl | bash with no integrity verification (no checksum, no GPG signature). If the GitHub repository, CDN, or any redirect in the network path is compromised, the attacker can serve arbitrary commands that execute with the user's privileges. This is a well-known supply-chain attack vector. The audience (stated as "no private keys, no configuration") makes it higher risk: users have little context to detect anomalies.

Code

curl -fsSL https://raw.githubusercontent.com/BofAI/openclaw-extension/refs/heads/main/install.sh | bash

Recommendation

Promote the "check script before running" pattern from the old BANKOFAISkill.md (which has now been removed) as the primary recommendation. At minimum, show the git clone + inspect alternative before the curl | bash shortcut, and add a clear security note:

# Recommended: review the script before running
git clone https://github.com/BofAI/openclaw-extension.git
cd openclaw-extension
cat install.sh        # inspect before you run
./install.sh

# Quick method (trust the source)
curl -fsSL https://raw.githubusercontent.com/BofAI/openclaw-extension/refs/heads/main/install.sh | bash

Consider also adding a SHA-256 checksum of a pinned release tag rather than pulling from refs/heads/main (a mutable ref).

Minor

[MN-01] Inline `-p` Password Flag in CLI Reference Examples

Property	Value
Severity	Minor
Category	Security
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : Lines 29–33

Description

The CLI Reference uses agent-wallet start -p Abc12345! as the canonical "custom password" example throughout the document. Although a :::caution Shell history risk admonition is present, the flag value used is a realistic-looking password (Abc12345!), not a clearly synthetic placeholder. Users who copy these examples verbatim for real wallets will expose their actual password in shell history. The existing caution note is good, but could be stronger.

Code

agent-wallet start -p Abc12345!

Recommendation

Replace the flag example value with an obviously synthetic placeholder and update the caution note to appear before the code block:

# Caution: passing -p inline records the password in shell history.
# For production wallets, prefer interactive mode (no -p flag).
agent-wallet start -p '<YOUR_STRONG_PASSWORD>'

[MN-02] `TRON_PRIVATE_KEY` Uses Double Quotes in SKILLS QuickStart (Inconsistency)

Property	Value
Severity	Minor
Category	Security / Code Quality
File	`docs/McpServer-Skills/SKILLS/QuickStart.md` : Lines 83, 94

Description

Across this entire PR, sensitive environment variables (AGENT_WALLET_PASSWORD, TRON_MNEMONIC, TRON_PRIVATE_KEY) have been consistently updated to use single quotes to prevent accidental shell expansion. However, in the new SKILLS QuickStart, the "Option 2: Paste your private key directly" section still uses double quotes for TRON_PRIVATE_KEY. Hex private keys rarely contain shell-special characters, so this is unlikely to cause a runtime breakage, but it is an inconsistency with the rest of the documentation and the stated security guidance.

Code

export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"

Recommendation

export TRON_PRIVATE_KEY='your_real_or_testnet_private_key'

[MN-03] Misleading `workflow_dispatch` Comment in CI Workflow

Property	Value
Severity	Minor
Category	Documentation
File	`.github/workflows/docker.yml` : Line 14

Description

The added inline comment states # Intentionally unrestricted — allows manual builds from any branch for flexibility. workflow_dispatch does not allow triggering "from any branch" by default — it triggers the workflow from the branch selected in the GitHub Actions UI, which still must have the workflow file present. The phrase "any branch" implies a broader bypass than what workflow_dispatch actually provides, which could confuse future maintainers or create a false sense that there is no branch restriction.

Code

  workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

Recommendation

  workflow_dispatch: # Allows manual triggering from the GitHub Actions UI (any branch that has this workflow file)

Suggestions

[S-01] Pin `curl | bash` to a Tagged Release Instead of `refs/heads/main`

File: docs/McpServer-Skills/SKILLS/QuickStart.md
Description: The install URL fetches from refs/heads/main — a mutable branch ref. If a new commit is pushed to main after the docs are published, users could receive a different script version than what was tested. Pinning to a tagged release (e.g., refs/tags/v1.2.3) guarantees reproducibility and reduces the blast radius if the branch is force-pushed or temporarily contains bad code.
Suggestion: Replace refs/heads/main with a pinned tag, and update the tag when new releases ship: https://raw.githubusercontent.com/BofAI/openclaw-extension/refs/tags/v1.2.3/install.sh.

[S-02] Expose Windows Support Gap More Prominently

File: docs/Agent-Wallet/FAQ.md : Line ~153 (Installation & Environment section)
Description: Windows support is currently addressed only deep in the FAQ ("Windows is not currently supported"). The Quick Start page does not mention this; users who follow it on Windows will hit failures midway through. The SKILLS QuickStart references Windows (WSL) under the private-key option but not for Agent Wallet setup.
Suggestion: Add a :::caution or OS tab at the top of Agent-Wallet/QuickStart.md noting that native Windows is unsupported and directing Windows users to WSL.

[S-03] Add Explicit "No i18n Drift" Note or Automation for i18n Mirrors

File: i18n/en/docusaurus-plugin-content-docs/current/*
Description: The i18n directory contains exact mirrors of docs/**. This PR correctly keeps them in sync, but the duplication creates a persistent risk: future changes to primary docs that are not mirrored to i18n/ will cause content drift, broken anchors, or missing pages in the English i18n locale.
Suggestion: Add a note in CONTRIBUTING.md (or a CI lint check) requiring that edits to docs/ are mirrored to i18n/en/. Alternatively, consider using Docusaurus's docusaurus write-translations mechanism to reduce manual mirroring.

Positive Observations

Area	Observation
Critical Security Fix	Removed the `Debug Docker Hub secrets` CI step that was printing `DOCKERHUB_USERNAME` and the length of `DOCKERHUB_TOKEN` to public GitHub Actions logs. This was the most serious vulnerability in the repository and its removal is the single most impactful change in this PR.
Safe Password Verification	`echo $AGENT_WALLET_PASSWORD` — which reveals the password value in terminal output — has been replaced with `[[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set"
Single-Quote Consistency	All sensitive `export` statements (`AGENT_WALLET_PASSWORD`, `TRON_PRIVATE_KEY`, `TRON_MNEMONIC`, `TRON_MNEMONIC`) have been migrated from double quotes to single quotes, preventing silent shell expansion of passwords containing `$`, `!`, and similar characters. The caution boxes explicitly explain why.
`$HOME` Over `~` in Env Vars	`AGENT_WALLET_DIR="~/.agent-wallet"` has been corrected to `AGENT_WALLET_DIR="$HOME/.agent-wallet"`. Tilde (`~`) is not expanded inside double-quoted strings by POSIX-compatible shells, so the old form would have set the variable to the literal string `~/.agent-wallet` rather than the resolved home path.
Safe Wallet Reset	`rm -rf ~/.agent-wallet/` has been replaced with `agent-wallet reset` across all MCP Server FAQs. The new command is accompanied by strong warnings about irreversibility, links to the CLI Reference, and guidance on backing up mnemonics before proceeding.
Shell History Awareness	The Agent Wallet QuickStart explicitly warns users not to use `echo "export ..." >> ~/.zshrc` because the password ends up in `.zsh_history`. It recommends editing the config file in a text editor instead. This is a non-obvious security best practice that is rarely documented.
`raw_secret` Danger Warnings	The `raw_secret` wallet type (which stores keys unencrypted) is consistently labeled with `:::danger` admonitions throughout the new CLI Reference and FAQ, ensuring users are not inadvertently guided toward it.
Cross-Linking Architecture	Rather than duplicating Agent Wallet setup instructions in every MCP Server doc, the PR restructures them to point to the new canonical Agent Wallet section. This eliminates future drift risk and keeps security guidance centralised and consistent.
Security-Concious New Docs	The new Agent-Wallet `Intro.md` includes a concrete threat model (dependency chain poisoning, "helpful" agent leaks, git history exposure) that gives users genuine, actionable context for why the tool exists — significantly better than a simple feature list.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	4	4	0	4	Logic, links, and env var quoting are correct
Security	10	8	1	1	`curl \| bash` without integrity check (MJ-01)
Performance	7	0	0	7	Documentation-only PR; not applicable
Code Quality	6	5	1	0	Double-quote inconsistency (MN-02); misleading comment (MN-03)
Testing	7	0	0	7	Documentation-only PR; not applicable
Documentation	6	5	1	0	Windows gap not surfaced in Quick Start (S-02)
Compatibility	5	4	0	1	i18n mirrors kept in sync this PR (S-03 for future risk)
Observability	4	0	0	4	Documentation-only PR; not applicable

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between origin/main and origin/update-mcp-server. Runtime behavior, integration testing, deployment impact, and the correctness of any linked external URLs are not covered.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-23

github-actions · 2026-03-23T10:37:53Z

Code Review Report

Project: BofAI Docs (bankofai/docs)
PR: main -> update-mcp-server
Review Date: 2026-03-23
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	37
Files Changed	36
Lines Added	+4858
Lines Removed	-903

Commit History

Hash	Message
`2248698`	update skill intro
`6295071`	update skill intro
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet
`1ec9118`	fix
`4dff899`	fix new major audio issues
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal
`b92448f`	fix audio new issues
`ee9c759`	fix audio issues
`5e9152b`	fix audio report issue
`bafd81b`	fix audit suggestion
`b8ea082`	fix
`cf49298`	fix
`b1bfecd`	update
`bc4a8f0`	fix
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update
`1ebd798`	Merge branch 'main' into update-mcp-server
`822bdae`	fix
`224d32d`	fiix
`3b87508`	fix
`824c0d7`	fix
`17c1057`	fix
`47b8030`	fxi
`7fe32d7`	Merge pull request #28 from BofAI/ai-bankofai-patch-1
`2e02cab`	fix
`5dfcb8a`	fix
`a541e97`	fix
`956060e`	fix
`e5f417e`	fix
`fb1737f`	Merge pull request #26 from BofAI/ai-bankofai-patch-1
`24cf00e`	fix

Review Summary

Verdict

Verdict: Approve (with minor suggestions)

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	1	3	3

Summary

This PR introduces a comprehensive new Agent Wallet documentation section (Intro, QuickStart, FAQ, CLI Reference, SDK Guide, SDK Cookbook) and restructures/rewrites the SKILLS documentation (new QuickStart, revised Skill Catalog, revised FAQ) to be more user-friendly. It also removes a debug step from the GitHub Actions workflow that previously leaked credential metadata. The writing is clear and the security-focused guidance is a significant improvement over the prior state. One major finding relates to an internal inconsistency in quoting guidance for the TRON_PRIVATE_KEY environment variable: docs/McpServer-Skills/SKILLS/QuickStart.md instructs users to use double quotes and calls them "important," while docs/Agent-Wallet/QuickStart.md explicitly warns that double quotes will silently mangle passwords with special characters and advises single quotes. Although a private key is unlikely to contain shell-special characters, the advice is contradictory across documents. Minor findings cover a CI workflow trigger scope, a slightly outdated documentation link, and a missing Windows tab in the Agent Wallet QuickStart. Suggestions address informational style choices.

Change Summary

1. CI/CD Workflow (`.github/workflows/docker.yml`)

Replaced watched branch ai-bankofai-patch-1 with update-mcp-server in push and pull_request triggers.
Removed a "Debug Docker Hub secrets" step that printed credential metadata (username=[...] and token length) to the build log.
Added an explanatory comment on workflow_dispatch.

2. New Agent Wallet Documentation Section (`docs/Agent-Wallet/`)

Five entirely new files covering the full user journey:

Intro.md — security rationale for encrypted key storage.
QuickStart.md — three-step guide; notable security advice on single-quoting passwords.
FAQ.md — covers offline signing, password loss, wallet types, security model.
Developer/CLI-Reference.md — complete reference for every CLI command.
Developer/SDK-Guide.md and Developer/SDK-Cookbook.md — TypeScript and Python SDK guides with end-to-end transaction examples.

3. SKILLS Documentation Rewrites (`docs/McpServer-Skills/SKILLS/`)

Intro.md — full rewrite; improved clarity, consistent branding.
BANKOFAISkill.md (now "Skill Catalog") — restructured skill table, removed inline installation instructions in favour of cross-links to Agent Wallet docs.
Faq.md — reordered from "concepts-first" to "problems-first", removed echo $AGENT_WALLET_PASSWORD diagnostic step.
QuickStart.md — new file providing a two-step install-and-talk guide.

4. MCP Server Documentation Updates

docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md — Agent Wallet setup section trimmed and cross-linked to new docs; AGENT_WALLET_DIR fixed to use $HOME instead of literal ~.
docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md — added detailed troubleshooting for connection, authentication, on-chain errors.
docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md — same Agent Wallet section trimmed and cross-linked.
docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md — replaced echo $AGENT_WALLET_PASSWORD diagnostic with a non-revealing check; updated to use single quotes for shell variables; removed dangerous rm -rf ~/.agent-wallet/ reinitialise steps.
docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md — hyperlinked "Agent Wallet" references to new docs.

5. Sidebar Navigation (`sidebars.js` and versioned copy)

Added McpServer-Skills/SKILLS/QuickStart entry and a new top-level "Agent Wallet" category with nested "Explore Further" sub-category linking to CLI Reference, SDK Guide, SDK Cookbook.

6. Package Version (`package.json`)

Bumped version from 1.2.3 to 1.2.4.

Detailed Findings

[MJ-01] Inconsistent Quoting Guidance for `TRON_PRIVATE_KEY` Creates Potential Confusion (Major)

Severity: Major
Category: Documentation / Security
Files:

docs/McpServer-Skills/SKILLS/QuickStart.md lines 79–81, 89
docs/McpServer-Skills/SKILLS/Faq.md lines 132, 120–125 (inline comment "do NOT delete the double quotes")
docs/Agent-Wallet/QuickStart.md lines ~158–166 (explicit warning that double quotes silently mangle $-containing values)

Description:
docs/McpServer-Skills/SKILLS/QuickStart.md instructs users to wrap TRON_PRIVATE_KEY in double quotes and even marks this as "Important":

export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"

⚠️ Important: Don't forget the double quotes on both sides!

docs/McpServer-Skills/SKILLS/Faq.md (credential section) also explicitly tells users:

"do NOT delete the double quotes " around each value"

Meanwhile, docs/Agent-Wallet/QuickStart.md introduces an explicit caution:

"❌ Wrong — double quotes, $w0rd gets shell-expanded to empty string, password silently breaks"

While TRON private keys are hex strings and unlikely to contain shell-special characters, the advice is directly contradictory across the documentation set. A reader who follows the QuickStart, reads the Agent Wallet docs, and then returns to the FAQ will receive conflicting guidance. This also sets an inconsistent precedent that may affect other secrets (API keys like BANKOFAI_API_KEY or SUNPERP_SECRET_KEY which can contain special characters).

Recommendation:
Standardise all credential export examples in SKILLS/QuickStart.md and SKILLS/Faq.md to use single quotes, consistent with the practice already adopted in Agent-Wallet/QuickStart.md, TRONMCPServer/LocalPrivatizedDeployment.md, and SUNMCPServer/FAQ.md. Remove the instruction "Don't forget the double quotes on both sides!" and the "(do NOT delete the double quotes)" inline comment.

[MN-01] CI Workflow `workflow_dispatch` Allows Manual Builds from Any Branch (Minor)

Severity: Minor
Category: Security / CI
File: .github/workflows/docker.yml line 14
Description:
The PR adds a comment explicitly stating that workflow_dispatch is "Intentionally unrestricted — allows manual builds from any branch for flexibility." This means any contributor with workflow write access can manually trigger a Docker build and push from any branch, including experimental or potentially untested branches. The image is pushed to Docker Hub under the production image name bankofai/docs with the tag test. While the intent is documented, the lack of branch restriction combined with unconditional push (except for pull_request events) is a broader scope than the feature requires.

workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

Recommendation:
If unrestricted dispatch is truly required, the comment is acceptable. However, consider whether the tag should be branch-specific (e.g., type=ref,event=branch) so manual builds from feature branches do not overwrite a shared test tag, causing ambiguity about which code is deployed under that tag.

[MN-02] Agent Wallet QuickStart Missing Linux Tab for Step 2.2 Restart Instructions (Minor)

Severity: Minor
Category: Documentation / Completeness
File: docs/Agent-Wallet/QuickStart.md — Step 2 tab structure
Description:
The QuickStart has a tabbed section (Step 2.1) with a "Mac Users (Zsh)" tab and a "Linux Users" tab for configuring the environment variable. However, the next sub-section (Step 2.2 "Restart Your AI Backend Service") has no tab distinction — the instructions are generic. The Mac tab also includes a detailed tip about why echo should not be used for inserting the password. This tip is not present in the Linux tab, leaving Linux users without the same security guidance.

Recommendation:
Add the shell-history risk tip to the Linux tab, or make it a shared callout block outside the tabs so it applies to both operating systems equally.

[MN-03] Outdated External Link in `TRONMCPServer/LocalPrivatizedDeployment.md` Removed but Replacement Not Linked in SUNMCPServer Counterpart (Minor)

Severity: Minor
Category: Documentation
Files:

docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md line ~74 (new)
docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md line ~68 (new)

Description:
Both deployment files now replace the old GitHub-raw external link (https://github.com/BofAI/agent-wallet/blob/main/doc/getting-started.md) with an internal cross-reference:

> For installation, initialization, and detailed usage of Agent Wallet, see the [Agent-Wallet documentation](../../../Agent-Wallet/Intro).

This is a good change, but both files link to Intro.md rather than QuickStart.md. For a user in the middle of a "Local Deployment" setup guide who needs installation steps, the QuickStart is the more actionable target.

Recommendation:
Change the cross-link in both LocalPrivatizedDeployment.md files to point to ../../../Agent-Wallet/QuickStart (or use Intro and also mention QuickStart parenthetically) to provide the most direct path to action for the user.

[S-01] Debug Step Removal is Correct but the Commit Comment Could Be More Descriptive (Suggestion)

Severity: Suggestion
Category: Code Quality / CI
File: .github/workflows/docker.yml
Description:
The "Debug Docker Hub secrets" step printed username=[...] and token_length=${#DOCKERHUB_TOKEN} to the public build log. Removing it is the correct security decision. The commit that performed this fix (b6e023f) has a message of "workflow add update-mcp-server" rather than something that communicates the security nature of the removal.

Recommendation:
Not blocking — no code change required. For future commits of this nature, use a commit message such as "ci: remove debug step that leaks Docker Hub secret metadata" so the security intent is traceable in git history without reading the diff.

[S-02] SKILLS `QuickStart.md` — `npx skills add` Command Should Clarify the Tool Name (Suggestion)

Severity: Suggestion
Category: Documentation / User Experience
File: docs/McpServer-Skills/SKILLS/QuickStart.md line ~19
Description:
The install command shown is:

npx skills add https://github.com/BofAI/skills

The skills npm package is referenced without a version pin or the -y flag that suppresses the interactive "need to install the following packages" prompt commonly encountered with npx. A first-time user on a fresh machine will see an unexpected interactive prompt before the command runs.

Recommendation:
Add -y to suppress the npx interactive confirmation:

npx -y skills add https://github.com/BofAI/skills

This is consistent with how other npx invocations are shown in the MCP Server docs.

[S-03] Version Bump in `package.json` Not Tied to a CHANGELOG or Release Note (Suggestion)

Severity: Suggestion
Category: Documentation / Maintainability
File: package.json
Description:
The version is bumped from 1.2.3 to 1.2.4 as part of this PR. There is no associated CHANGELOG entry or release note file updated in the diff.

Recommendation:
If the project maintains a changelog, add an entry for 1.2.4 summarising the Agent Wallet docs addition and SKILLS rewrite. If it does not maintain one, this is a low-priority concern.

Positive Observations

Removal of the echo $AGENT_WALLET_PASSWORD diagnostic step from docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md is a meaningful security improvement. The old instructions told users to print their wallet password to the terminal to confirm it was set. The replacement — [[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set" || echo "Password NOT set" — confirms presence without revealing the value.
Removal of the "Debug Docker Hub secrets" CI step is a direct security fix. The old step printed the Docker Hub username and token length to the public build log. The new workflow is clean.
AGENT_WALLET_DIR tilde expansion fix (~/.agent-wallet → $HOME/.agent-wallet) in LocalPrivatizedDeployment.md for both TRON and SUN MCP Server docs is a technically correct improvement; tilde is not always expanded when used inside double quotes in export statements.
Agent Wallet documentation is comprehensive and well-structured. The security rationale in Intro.md, the dual-lock metaphor, the testnet-first guidance in QuickStart.md, the raw_secret vs local_secure comparison table in FAQ.md, and the end-to-end code examples in SDK-Cookbook.md collectively provide a high-quality, user-friendly security story.
Consistent adoption of single quotes for shell variable exports containing passwords across the updated MCP Server docs and Agent Wallet docs prevents shell expansion bugs for passwords with special characters ($, !, etc.).
Cross-linking between Agent Wallet and MCP/SKILLS docs is well done. Both sets of docs now reference each other appropriately, reducing duplication and keeping a single source of truth.

Checklist Results

Category	Items Checked	Pass	Fail	N/A
Correctness	6	5	1	0
Security	8	7	1	0
Performance	3	0	0	3
Code Quality	6	5	1	0
Testing	2	0	0	2
Documentation	8	6	2	0

Performance and Testing categories are largely N/A for a documentation-only PR. The correctness fail refers to the double-quote inconsistency (MJ-01). The security fail refers to the same issue (double quotes for variables that may contain special characters). The code quality fail refers to the unrestricted workflow_dispatch scope (MN-01). The two documentation fails refer to the missing Linux tip in QuickStart (MN-02) and the cross-link pointing to Intro rather than QuickStart (MN-03).

Disclaimer

This is an automated code review generated by AI Code Reviewer (Code Review Skill v1.0.0). All findings should be verified by a human reviewer before acting on them. The review is limited to the diff between main and update-mcp-server at the time of analysis (2026-03-23) and does not reflect any changes made after that point. Security findings in documentation are assessed based on the guidance provided to end users; they do not reflect vulnerabilities in production code.

github-actions · 2026-03-23T10:44:52Z

Code Review Report

Project: Bank of AI Documentation (x402-tron/docs)
PR: main -> update-mcp-server
Review Date: 2026-03-23
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	24
Files Changed	36
Lines Added	+4858
Lines Removed	-903

Commit History

Hash	Message
`590e69e`	update skills
`2248698`	update skill intro
`6295071`	update skill intro
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet
`1ec9118`	fix
`4dff899`	fix new major audio issues
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal
`b92448f`	fix audio new issues
`ee9c759`	fix audio issues
`5e9152b`	fix audio report issue
`bafd81b`	fix audit suggestion
`b8ea082`	fix
`cf49298`	fix
`b1bfecd`	update
`bc4a8f0`	fix
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update
`1ebd798`	Merge branch 'main' into update-mcp-server

Review Summary

Verdict

Verdict: Approve (with minor suggestions)

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	0	4	6

Summary

This PR delivers a substantial documentation expansion for the Agent Wallet feature and improves existing MCP Server and SKILLS documentation. The primary additions are six new Markdown files for Agent Wallet (Intro.md, QuickStart.md, FAQ.md, Developer/CLI-Reference.md, Developer/SDK-Guide.md, Developer/SDK-Cookbook.md) plus their Chinese translations, a new SKILLS/QuickStart.md, updated sidebar registrations for both English and Chinese, and a version bump to 1.2.4 in package.json. Several important security improvements are included: the removal of a debug step that echoed Docker credentials in plaintext CI logs, and a systematic replacement of double-quoted export statements with single-quoted ones throughout the docs to prevent shell variable expansion corrupting passwords and private keys containing special characters.

The overall content quality is high — the documentation is thorough, security warnings are explicit and well-placed, and the dual TypeScript/Python code examples in the SDK guide and cookbook are accurate and idiomatic. The CI workflow change correctly deregisters the old ai-bankofai-patch-1 branch trigger and adds update-mcp-server. The sidebar additions in both sidebars.js and the Chinese sidebars.js correctly integrate the new Agent Wallet section with an Agent Wallet top-level category.

Minor issues found are primarily documentation quality concerns: one environment variable reference uses ~/.agent-wallet with literal tilde instead of $HOME/.agent-wallet in one location (inconsistently fixed elsewhere in this very PR), a missing fromAddress address-validation check in the Python TRON transfer example relative to the TypeScript counterpart, and a QuickStart that shows private key inline in a code comment with double quotes which contradicts the single-quotes guidance given elsewhere. There are no security vulnerabilities, no code logic bugs, and no breaking changes.

Change Summary

1. CI Workflow (`/.github/workflows/docker.yml`)

Updated trigger branch from ai-bankofai-patch-1 to update-mcp-server in push and pull_request triggers.
Removed the debug step that printed Docker Hub credentials (DOCKERHUB_USERNAME and DOCKERHUB_TOKEN length) to workflow logs.
Added an explanatory comment for workflow_dispatch.

2. New Agent Wallet Documentation (English)

Six new files added under docs/Agent-Wallet/:

Intro.md — architecture overview, security model, supported chains table.
QuickStart.md — three-step guide through CLI install, password setup, and AI agent integration.
FAQ.md — Q&A covering security, multi-wallet, and troubleshooting.
Developer/CLI-Reference.md — full CLI command reference with security callouts.
Developer/SDK-Guide.md — TypeScript and Python SDK integration guide with environment variable reference table.
Developer/SDK-Cookbook.md — three end-to-end runnable examples: TRON TRX transfer, EVM/BSC BNB transfer, x402 PaymentPermit signing.

3. Updated MCP Server Documentation (English + Chinese)

docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md and SUNMCPServer equivalent: removed inline Agent Wallet installation steps (now delegated to Agent Wallet docs), fixed AGENT_WALLET_DIR path from "~/.agent-wallet" to "$HOME/.agent-wallet", updated password exports to single-quoted form.
docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md and SUNMCPServer/FAQ.md: replaced echo $AGENT_WALLET_PASSWORD (which prints the password) with a conditional check [[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "已设置" || echo "未设置". Replaced destructive rm -rf ~/.agent-wallet/ reset instructions with agent-wallet reset references.
docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md: added hyperlinks to Agent Wallet documentation from list_wallets and select_wallet descriptions.

4. Updated SKILLS Documentation (English + Chinese)

docs/McpServer-Skills/SKILLS/Intro.md: heavily rewritten from technical architecture explanation to a user-facing capability showcase.
docs/McpServer-Skills/SKILLS/BANKOFAISkill.md: restructured from a developer-centric per-skill reference into a user-facing conversational prompt catalog.
docs/McpServer-Skills/SKILLS/Faq.md: reorganized FAQ by urgency (troubleshooting first, concepts last), added Node.js version requirement section and Agent Wallet recommendation.
docs/McpServer-Skills/SKILLS/QuickStart.md (new): two-step quick start guide targeting non-technical users.

5. Navigation and Configuration

sidebars.js (English): added Agent Wallet top-level section, added SKILLS/QuickStart entry.
i18n/zh-Hans/.../sidebars.js (Chinese): same additions as English sidebar.
i18n/zh-Hans/.../current.json: updated sidebar label translations.
package.json: version bumped from 1.2.3 to 1.2.4.

Detailed Findings

MINOR-1: Missing Address Validation in Python TRON Transfer Example

File: docs/Agent-Wallet/Developer/SDK-Cookbook.md
Severity: Minor
Category: Correctness & Logic

Description:
The TypeScript version of the TRON TRX transfer function includes an address-mismatch guard that raises an error if the caller-supplied fromAddress does not match the wallet's actual address. The Python version omits this check entirely. In a documentation cookbook meant to be copied directly to production, this asymmetry means Python users copying the example are missing a guard against a common misconfiguration bug that would result in a TronGrid API error at broadcast time with no clear explanation.

TypeScript (present):

const walletAddress = await wallet.getAddress();
if (fromAddress !== walletAddress) {
  throw new Error(`fromAddress mismatch: expected ${walletAddress}, got ${fromAddress}`);
}

Python (absent): The transfer_trx function in Python proceeds directly to build the transaction without this check.

Recommendation: Add the equivalent validation to the Python example:

wallet_address = await wallet.get_address()
if from_address != wallet_address:
    raise ValueError(f"fromAddress mismatch: expected {wallet_address}, got {from_address}")

MINOR-2: Inconsistent Single-Quote Guidance vs. QuickStart Code Example

File: docs/McpServer-Skills/SKILLS/QuickStart.md
Lines: Option 2 "Paste Your Private Key Directly" section
Severity: Minor
Category: Security / Documentation

Description:
The Skills QuickStart guide (newly added in this PR) advises users to export TRON_PRIVATE_KEY using double-quoted syntax:

export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"

This directly contradicts the security guidance added elsewhere in this very PR across SUNMCPServer/FAQ.md, TRONMCPServer/LocalPrivatizedDeployment.md, and CLI-Reference.md, all of which explicitly warn that double-quoted export statements cause shell expansion that can silently corrupt values containing $, !, and other special characters. If a user follows the QuickStart and their private key contains such characters (hex private keys generally will not, but awareness of the pattern is important for consistency), the behavior would differ from the documented norm.

Recommendation: Update the example in QuickStart.md to use single quotes for consistency with the rest of the PR's security guidance:

export TRON_PRIVATE_KEY='your_real_or_testnet_private_key'

MINOR-3: Stale `AGENT_WALLET_DIR` Path Using Literal Tilde in Chinese i18n QuickStart

File: i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/QuickStart.md
Severity: Minor
Category: Documentation consistency

Description:
The Chinese QuickStart file (new in this PR) does not include a code block showing AGENT_WALLET_DIR configuration, which is fine. However, the English SDK-Guide.md and CLI-Reference.md both use the environment variable reference table and code samples. More specifically, while the English and Chinese LocalPrivatizedDeployment.md files were both fixed in this PR to use $HOME/.agent-wallet instead of ~/.agent-wallet, the Chinese SUNMCPServer/LocalPrivatizedDeployment.md shows:

export AGENT_WALLET_DIR="$HOME/.agent-wallet"

which is correct. However the SKILLS BANKOFAISkill.md in the Chinese translation shows no explicit AGENT_WALLET_DIR guidance. This is acceptable, but the English SDK-Guide.md environment variable reference table still lists the default as ~/.agent-wallet in the description column:

| `AGENT_WALLET_DIR` | Key directory (default `~/.agent-wallet`) | ...

Using ~ here is harmless in documentation prose (not as a shell argument), so this is a minor consistency note rather than a bug.

Recommendation: In the environment variable reference table in docs/Agent-Wallet/Developer/SDK-Guide.md, clarify the default path wording to indicate it expands to the user's home directory, e.g.: Key directory (default: ~/.agent-wallet, i.e. $HOME/.agent-wallet). This prevents users from misinterpreting the table description as a literal shell value.

MINOR-4: `workflow_dispatch` Trigger Comment May Not Reflect Actual Behavior

File: .github/workflows/docker.yml
Lines: workflow_dispatch trigger line
Severity: Minor
Category: Documentation / CI correctness

Description:
The PR changes the workflow_dispatch entry to add a comment:

workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

This is accurate — workflow_dispatch without a branches filter does allow triggering from any branch. However, the comment could give the impression this is a deliberate widening of permissions, when in fact workflow_dispatch without branch restriction is the GitHub Actions default. Leaving the comment as written is not harmful, but it slightly overstates the intentionality. The removal of the debug credential-printing step in the same workflow is the more meaningful security change.

Recommendation: No action required, but optionally simplify the comment to # Allows manual trigger from any branch to avoid implying a deliberate security choice where none was made.

Positive Observations

Critical security fix: debug credential leak removed. The PR removes a CI step that printed Docker Hub credentials (username and token length) to workflow logs. While partial, logging the token length still constitutes unnecessary credential exposure in log output. Removing this step entirely is the correct fix.
Systematic single-quote enforcement for password exports. Multiple files across English and Chinese content consistently replace export AGENT_WALLET_PASSWORD="..." with export AGENT_WALLET_PASSWORD='...' and add explicit caution admonitions explaining why double-quoted shell variables silently break passwords with special characters. This is precisely the kind of subtle security bug that causes hard-to-diagnose authentication failures in production.
Replacing destructive rm -rf with agent-wallet reset. The FAQ files for both MCP servers previously instructed users to run rm -rf ~/.agent-wallet/ to reset wallets. This PR replaces those instructions with references to the dedicated agent-wallet reset CLI command and links to the new CLI Reference docs. This is a meaningful UX and safety improvement — the CLI command includes a confirmation prompt, while rm -rf is silent.
Replacing echo $AGENT_WALLET_PASSWORD with a non-exposing check. The old FAQ files included a verification step echo $AGENT_WALLET_PASSWORD which would print the master password to the terminal in plaintext. The PR replaces this with [[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "set" || echo "not set" — a pattern that confirms presence without revealing the value. This commit message (fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal) correctly identifies this as a major issue and the fix is well-executed.
High-quality code examples with proper error handling. The SDK Cookbook examples for TRON and EVM transfers both include post-sign validation (checking for signature and txID fields), JSON parse error handling with descriptive re-throw, and appropriate comments distinguishing testnet from mainnet RPC endpoints. The TypeScript signedTx is correctly typed as Record<string, unknown> after JSON parsing rather than any.
Informative security callouts at appropriate danger levels. The new documentation makes effective use of Docusaurus admonition types (:::danger, :::caution, :::tip) at levels that match actual risk. For example, the raw_secret wallet type warning uses :::danger, the shell history risk of inline -p flag uses :::danger, and the --save-runtime-secrets trade-off uses :::danger with a detailed explanation. These are correctly calibrated.
Sidebar integration is correct and complete. Both sidebars.js (English) and the Chinese equivalent correctly add the Agent Wallet top-level section with its full hierarchy and add SKILLS/QuickStart to the existing Skills section. The new Agent Wallet section is positioned logically after MCP Server & Skills and before Openclaw Extension.

Checklist Results

Category	Status	Notes
A1. Logic errors / off-by-one	PASS	No logic errors in changed code
A2. Null/undefined handling	PASS	SDK examples include post-call validation
A3. Error handling	PASS	SDK examples catch and re-throw with context
A4. Concurrency / race conditions	N/A	Documentation only; no runtime concurrency changes
A5. Resource leaks	PASS	Python aiohttp sessions properly scoped via `async with`
A6. API contract / breaking changes	PASS	Documentation changes only; no API surface modified
B1. Injection vulnerabilities	PASS	No SQL/command injection vectors introduced
B2. Auth/Authz weakened	PASS	No auth logic changed; security advice improved
B3. Input validation	PASS	N/A for documentation
B4. Sensitive data / hardcoded secrets	PASS	Debug credential printing removed; no new secrets hardcoded
B5. Data exposure	PASS	`echo $PASSWORD` patterns replaced with non-exposing checks
B6. New dependencies	PASS	No new runtime dependencies added
C1. N+1 queries	N/A	No database access
C2. Missing indexes	N/A	No database access
C3. Unbounded operations	N/A	No data fetching in changed code
C4. Unnecessary computation	N/A	Documentation only
C5. Memory management	N/A	Documentation only
D1. Naming clarity	PASS	File names, headings, and variable names are clear
D2. Function complexity	PASS	No overly complex functions introduced
D3. Duplication	MINOR	English and Chinese docs mirror each other (acceptable for i18n)
D4. Dead code	PASS	No dead code; removed debug CI step is a positive
D5. Style consistency	MINOR	Double-quoted export in `SKILLS/QuickStart.md` inconsistent with rest of PR
E1. Tests for new logic	N/A	Documentation project; no unit tests applicable
E2. Test quality	N/A	Documentation project
E3. Edge case coverage	MINOR	Python TRON example missing fromAddress validation vs. TypeScript
F1. Public API documentation	PASS	All new docs are public-facing documentation
F2. Changed behavior documented	PASS	All behavior changes (wallet reset, password check) reflected in docs
F3. Complex logic commented	PASS	Non-obvious patterns (e.g., `visible: true` address format) are explained inline

Disclaimer

This is an automated code review generated by an AI code reviewer. While it aims to be thorough and accurate, it may miss context-specific concerns or incorrectly flag non-issues. All findings should be reviewed by a human maintainer before acting on them. The reviewer has only examined changes that appear in the diff between main and update-mcp-server.

github-actions · 2026-03-23T12:07:25Z

Code Review Report

Project: BofAI Docs (x402-tron documentation site)
PR: main -> update-mcp-server
Review Date: 2026-03-23
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Attribute	Value
From Branch	`main`
To Branch	`update-mcp-server`
Total Commits	24
Files Changed	54
Lines Added	~5,364
Lines Removed	~2,634

Commit History

Commit	Message
`b6621a6`	update skill and setup way
`590e69e`	update skills
`2248698`	update skill intro
`6295071`	update skill intro
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet
`1ec9118`	fix
`4dff899`	fix new major audio issues
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal
`b92448f`	fix audio new issues
`ee9c759`	fix audio issues
`5e9152b`	fix audio report issue
`bafd81b`	fix audit suggestion
`b8ea082`	fix
`cf49298`	fix
`b1bfecd`	update
`bc4a8f0`	fix
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update

Review Summary

Verdict

Verdict: Request Changes

Findings at a Glance

Severity	Count
Critical	0
Major	3
Minor	6
Suggestion	5
Total	14

Summary

This PR introduces a substantial documentation overhaul for a Docusaurus-based docs site. The primary changes are: (1) a completely new "Agent Wallet" section covering introduction, quick start, CLI reference, SDK guide, and SDK cookbook documentation; (2) significant rewrites of the MCP Server (TRON and SUN) and SKILLS documentation to improve readability and audience breadth; (3) removal of client-specific tab-based configuration examples in favour of a client-agnostic approach; (4) a critical CI security fix removing a step that logged secret values to the workflow console; and (5) a version bump of package.json from 1.2.3 to 1.2.4.

The content quality is generally high — the new Agent Wallet documentation is well-structured, security-conscious, and user-friendly. The security fix in the CI workflow (docker.yml) removing plaintext secret echoing is a clear positive. However, the PR introduces several issues that should be addressed before merging. The most significant are: the introduction of an undocumented npx add-mcp command as the sole quick-start method without fallback instructions; a double-quoted TRON_PRIVATE_KEY example in SKILLS Quick Start that directly contradicts the well-established single-quote guidance used consistently throughout the same PR; and an out-of-sync i18n (zh-Hans) sidebar that omits the new SKILLS QuickStart page. Several minor documentation consistency and internal link issues also need attention.

Change Summary

CI / Build

.github/workflows/docker.yml: Removes debug step that echoed Docker Hub credentials to console; updates branch trigger from ai-bankofai-patch-1 to update-mcp-server; adds inline comment to workflow_dispatch.
package.json: Version bump from 1.2.3 to 1.2.4.

Navigation / Sidebar

sidebars.js (English): Adds McpServer-Skills/SKILLS/QuickStart to SKILLS section; adds new top-level "Agent Wallet" category with Intro, QuickStart, Developer sub-category (CLI-Reference, SDK-Guide, SDK-Cookbook), and FAQ.
i18n/zh-Hans/.../sidebars.js: Adds Agent Wallet section (mirrors English), but omits McpServer-Skills/SKILLS/QuickStart.
i18n/zh-Hans/.../current.json: Adds translation label for "Explore Further" sidebar category.

New Documentation — Agent Wallet (English + zh-Hans mirrors)

docs/Agent-Wallet/Intro.md: Introduction to Agent Wallet security model.
docs/Agent-Wallet/QuickStart.md: Three-step quick start guide.
docs/Agent-Wallet/FAQ.md: Comprehensive FAQ.
docs/Agent-Wallet/Developer/CLI-Reference.md: Complete CLI command reference.
docs/Agent-Wallet/Developer/SDK-Guide.md: TypeScript and Python SDK integration guide.
docs/Agent-Wallet/Developer/SDK-Cookbook.md: End-to-end transaction examples (TRON transfer, BSC transfer, x402).

Updated Documentation — MCP Servers

docs/McpServer-Skills/MCP/Intro.md: Minor wording change removing specific client names.
docs/McpServer-Skills/MCP/TRONMCPServer/Intro.md: Removes client-specific name references.
docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md: Replaces multi-tab client config instructions with a single npx add-mcp @bankofai/mcp-server-tron command.
docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md: Removes client-specific tab configs, retains generic HTTP example with API key header.
docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md: Removes tab-based config examples, condenses Agent Wallet setup to a reference, simplifies configuration notes.
docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md: Removes client-specific troubleshooting, references new Agent Wallet docs for agent-wallet reset.
docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md: Adds hyperlinks to Agent Wallet docs from tool descriptions.
docs/McpServer-Skills/MCP/SUNMCPServer/*: Parallel changes to SUN MCP Server docs mirroring TRON changes.

Updated Documentation — SKILLS

docs/McpServer-Skills/SKILLS/Intro.md: Complete rewrite focusing on end-user benefits vs. technical architecture.
docs/McpServer-Skills/SKILLS/BANKOFAISkill.md: Renamed/rewritten as "Skill Catalog" with natural-language prompt examples.
docs/McpServer-Skills/SKILLS/Faq.md: Significantly rewritten with user-friendly tone.
docs/McpServer-Skills/SKILLS/QuickStart.md: New file — a new two-step quick start for SKILLS.

Updated Documentation — Openclaw Extension

docs/Openclaw-extension/Intro.md, QuickStart.md, FAQ.md: Rewrites for broader audience, gamified UX language, and reduced technical depth.

Detailed Findings

MAJOR-1 — Undocumented `npx add-mcp` Command in Quick Start Pages

Severity: Major
Category: Documentation / Correctness
Files:

docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md (line 26)
docs/McpServer-Skills/MCP/SUNMCPServer/QuickStart.md (line ~18)
i18n/zh-Hans/docusaurus-plugin-content-docs/current/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md
i18n/zh-Hans/docusaurus-plugin-content-docs/current/McpServer-Skills/MCP/SUNMCPServer/QuickStart.md

Description:
Both Quick Start pages have been changed to direct users to run npx add-mcp @bankofai/mcp-server-tron and npx add-mcp @bankofai/sun-mcp-server as the sole installation instruction. However, npx add-mcp is not a standard npm or Node.js built-in; it appears to be a third-party or custom CLI helper package. No version is pinned, no package name is explained, and no fallback is provided for users whose MCP client does not support this mechanism or who receive errors. If add-mcp is not installed globally and the npx cache doesn't contain it, users will receive a confusing error. The previous approach (multi-tab config snippets) was verbose but covered the three most common clients explicitly.

Code Snippet (diff):

-<Tabs>
-<TabItem value="Claude Desktop" label="Claude Desktop">
-...JSON config snippet...
-</TabItem>
+Run the following command in your terminal:
+
+```bash
+npx add-mcp @bankofai/mcp-server-tron
+```
+
+After the command completes, restart your MCP client.

Recommendation:
Either document what add-mcp is (e.g., link to its npm page), pin a version (npx add-mcp@x.y.z), or retain at least a collapsed fallback section with manual JSON config for users on Claude Desktop, Cursor, or other clients. Confirm the package add-mcp is a published, maintained npm package before shipping this as the primary path.

MAJOR-2 — SKILLS QuickStart Missing from zh-Hans Sidebar

Severity: Major
Category: Documentation / Correctness
Files:

i18n/zh-Hans/docusaurus-plugin-content-docs/current/sidebars.js

Description:
The English sidebars.js was updated to add McpServer-Skills/SKILLS/QuickStart to the SKILLS navigation section. The corresponding zh-Hans sidebars.js was updated to add the Agent Wallet section but the SKILLS QuickStart entry was not added. The zh-Hans translation file for QuickStart.md does exist under i18n/zh-Hans/docusaurus-plugin-content-docs/current/McpServer-Skills/SKILLS/QuickStart.md, so this is a pure sidebar omission. Chinese-locale users browsing the SKILLS section will not see the Quick Start page in the sidebar navigation.

Code Snippet (update-mcp-server i18n/zh-Hans sidebars.js — SKILLS section):

{
  label: 'SKILLS',
  collapsed: false,
  items: [
    'McpServer-Skills/SKILLS/Intro',
    // 'McpServer-Skills/SKILLS/QuickStart' <-- MISSING
    'McpServer-Skills/SKILLS/BANKOFAISkill',
    'McpServer-Skills/SKILLS/Faq',
  ],
},

Recommendation:
Add 'McpServer-Skills/SKILLS/QuickStart' to the zh-Hans SKILLS items array, in the same position as the English sidebar:

items: [
  'McpServer-Skills/SKILLS/Intro',
  'McpServer-Skills/SKILLS/QuickStart',
  'McpServer-Skills/SKILLS/BANKOFAISkill',
  'McpServer-Skills/SKILLS/Faq',
],

MAJOR-3 — `TRON_PRIVATE_KEY` Shown with Double Quotes in SKILLS QuickStart (Contradicts PR's Own Single-Quote Guidance)

Severity: Major
Category: Security / Documentation Consistency
File: docs/McpServer-Skills/SKILLS/QuickStart.md (lines ~68, ~81) and i18n/zh-Hans/.../SKILLS/QuickStart.md

Description:
The new SKILLS QuickStart document, under "Option 2: Paste Your Private Key Directly," instructs users to add:

export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"

with the note "⚠️ Important: Don't forget the double quotes on both sides!" This directly contradicts the consistent and correct single-quote guidance provided throughout this same PR in the Agent Wallet docs, CLI Reference, SDK Guide, and SUN FAQ. Double quotes are dangerous for credentials containing shell metacharacters ($, !, \, backticks). If a private key ever contains or begins with $, the shell will silently corrupt the value. Because this page is targeting beginners as the "fast path" option, this guidance is particularly risky.

Code Snippet:

export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"

⚠️ Important: Don't forget the double quotes on both sides!

Recommendation:
Change the example to use single quotes:

export TRON_PRIVATE_KEY='your_real_or_testnet_private_key'

Remove the instruction "Don't forget the double quotes" and optionally replace it with the standard note found in the Agent Wallet pages: "Use single quotes — they prevent the shell from misinterpreting special characters."

MINOR-1 — `TRONGRID_API_KEY` and Other Non-Password Env Vars Using Double Quotes Inconsistently

Severity: Minor
Category: Documentation Consistency
Files:

docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md
docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md

Description:
Several newly introduced environment variable export examples in the LocalPrivatizedDeployment docs use double quotes for values that are safe (API keys with no special chars, placeholder values). While these specific values are unlikely to contain shell metacharacters, the inconsistency with the strong single-quote guidance established elsewhere in the PR creates a confusing mixed message for readers.

Examples:

export TRON_PRIVATE_KEY="<your-private-key-hex>"
export TRON_MNEMONIC="word1 word2 word3 ... word12"
export TRONGRID_API_KEY="<your-TronGrid-API-Key>"

Recommendation:
For consistency with the rest of the PR's documentation, switch these examples to use single quotes. Mnemonic phrases in particular can contain characters that may be problematic in double quotes. A comment in the code block noting "use single quotes" would further reinforce the pattern.

MINOR-2 — `agent-wallet init` Replaced by `agent-wallet reset` but Reset Command Documentation Is Incomplete

Severity: Minor
Category: Documentation Accuracy
File: docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md (diff lines around "agent wallet password incorrect")

Description:
The diff removes the old incorrect reference to agent-wallet init (which was a previously documented initialization command) and replaces it with agent-wallet reset. The new text correctly warns that reset "permanently wipes all wallets and keys." However, the note in the TRONMCPServer/FAQ only says to "run agent-wallet reset to wipe and start over" without explaining that the user must then run agent-wallet start to create a new wallet. A user who runs agent-wallet reset without knowing this next step will be left without a functioning wallet and no clear path forward.

Code Snippet (new text):

If the password is lost, you'll need to re-initialize. Warning: this permanently wipes all wallets and keys — ensure funds are moved or mnemonics backed up before proceeding. Run agent-wallet reset to wipe and start over — see CLI Reference → Reset and Agent-Wallet FAQ for details.

Recommendation:
Add a brief note after the agent-wallet reset reference: "After resetting, run agent-wallet start to create a new wallet." This is covered in the linked CLI Reference, but inline clarity prevents user confusion.

MINOR-3 — SUN MCP FAQ Troubleshooting Step References `rm -rf ~/.agent-wallet/` Without Warning

Severity: Minor
Category: Security / Documentation
File: docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md (replaced steps in "Verify password/reinitialize wallet" section)

Description:
The previous version of the SUN FAQ contained a troubleshooting step that suggested rm -rf ~/.agent-wallet/ as part of a reinitialize flow. The new version removes this bare destructive command and replaces it with the safer agent-wallet reset (with a warning) and a link to the CLI Reference. This is an improvement, but it is worth noting the new condensed single line for this in the context section:

"3. Reinitialize Wallet — run agent-wallet reset to wipe and start over."

While the SUNMCPServer FAQ version at line ~264 now calls [[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set" (good), the single-line reinitialize instruction gives no warning of data loss, unlike the parallel instruction in TRONMCPServer/FAQ which does include the warning.

Recommendation:
Add a brief inline data-loss warning to the SUN FAQ reinitialize instruction, consistent with the TRON FAQ version:

"3. Reinitialize Wallet — Warning: this permanently wipes all wallets and keys. Run agent-wallet reset to wipe and start over. See CLI Reference → Reset for details."

MINOR-4 — `npx skills add` Is an Undocumented Command (SKILLS QuickStart)

Severity: Minor
Category: Documentation / Correctness
File: docs/McpServer-Skills/SKILLS/QuickStart.md (line ~24) and i18n/zh-Hans/...SKILLS/QuickStart.md

Description:
The new SKILLS Quick Start instructs users to run:

npx skills add https://github.com/BofAI/skills

Like npx add-mcp, the skills package is not explained, and no link is provided to its npm page or repository. Users receiving an error will have no context about what this tool is or whether it is supposed to be installed separately. Additionally, the npx skills add <git-url> pattern implies this is a custom installer — it is not a standard npm command.

Recommendation:
Add a brief clarification note, e.g.: "This uses the skills npm package to download and configure skill packs." If the package is under the BofAI org, link to the GitHub repo. This also applies to the verification step — the command Read the sunswap skill and tell me what it can do is presented as a verification but could be confusing if the AI doesn't find the skill.

MINOR-5 — `AGENT_WALLET_DIR` Path Inconsistency: `"~/.agent-wallet"` vs `"$HOME/.agent-wallet"`

Severity: Minor
Category: Documentation Consistency / Correctness
Files:

docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md
docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md

Description:
The PR correctly changes export AGENT_WALLET_DIR="~/.agent-wallet" to export AGENT_WALLET_DIR="$HOME/.agent-wallet" in the LocalPrivatizedDeployment docs for both TRON and SUN servers. This is a genuine correctness fix — shell tilde expansion does not occur inside double-quoted strings, but $HOME does expand correctly. However, the Agent Wallet SDK Guide (docs/Agent-Wallet/Developer/SDK-Guide.md) still contains the old ~/.agent-wallet form in an unexpanded double-quoted context:

export AGENT_WALLET_DIR="$HOME/.agent-wallet"

This specific example in the SDK Guide is actually already correct ($HOME inside double quotes expands), but for maximum clarity and consistency across all docs, all three occurrence patterns should be verified. If any page still uses "~/.agent-wallet" in a double-quoted export, it should be updated to "$HOME/.agent-wallet" or '~/.agent-wallet' (single quotes work for ~ in some shells).

Recommendation:
Do a final sweep for remaining "~/.agent-wallet" patterns and replace with "$HOME/.agent-wallet". The shell tilde expansion note in the Agent Wallet CLI Reference is a good inline tip that could also be added to the environment variable reference table in the SDK Guide.

MINOR-6 — `workflow_dispatch` Comment Could Create Security Misunderstanding

Severity: Minor
Category: Security / CI
File: .github/workflows/docker.yml (line 15)

Description:
The workflow_dispatch trigger was updated with an inline comment: # Intentionally unrestricted — allows manual builds from any branch for flexibility. While this explains the intention, the statement is slightly misleading. workflow_dispatch in GitHub Actions is not "unrestricted" in general — it is limited to users with write access to the repository. The comment may cause future reviewers to believe this is less controlled than it actually is, potentially leading to incorrect security assessments.

Recommendation:
Revise the comment for precision, e.g.:

workflow_dispatch: # Manual trigger for any branch; restricted to users with repo write access

SUGGESTION-1 — Pin Version in `npx` Commands for Reproducibility

Severity: Suggestion
Category: Reliability / Documentation
Files: Multiple MCP QuickStart and LocalPrivatizedDeployment docs

Description:
Throughout the updated docs, npx -y @bankofai/mcp-server-tron and npx -y @bankofai/sun-mcp-server are used without version pinning. This is common for documentation but means users could silently pick up a breaking version update. Consider noting the current stable version in the installation examples or adding a note like "For reproducible builds, pin the version: npx -y @bankofai/mcp-server-tron@x.y.z."

SUGGESTION-2 — `echo $AGENT_WALLET_PASSWORD` Security Warning Applied Inconsistently

Severity: Suggestion
Category: Security / Documentation Consistency
Files: Multiple — some FAQ pages now correctly use [[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set" to avoid printing the value, while others still may reference direct echo.

Description:
The commit history shows fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal, indicating a specific audit finding was addressed. The SUN MCP FAQ and TRON MCP FAQ have both been updated to use the safe [[ -n "$VARIABLE" ]] && echo "set" pattern. This is excellent. The Suggestion is to audit the entire diff for any remaining instances where documentation examples might print sensitive variable values to the terminal, in particular in the new Agent Wallet and SDK docs.

SUGGESTION-3 — Missing Docusaurus Frontmatter in New Agent Wallet Pages

Severity: Suggestion
Category: Documentation Quality
Files:

docs/Agent-Wallet/Intro.md
docs/Agent-Wallet/QuickStart.md
docs/Agent-Wallet/FAQ.md
docs/Agent-Wallet/Developer/CLI-Reference.md
docs/Agent-Wallet/Developer/SDK-Guide.md
docs/Agent-Wallet/Developer/SDK-Cookbook.md

Description:
Several of the existing MCP Server docs include a YAML frontmatter block with title: and description: fields (e.g., docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md has title: FAQ & Troubleshooting and description: ...). The new Agent Wallet docs have no frontmatter at all. This means Docusaurus will auto-generate SEO metadata from the H1 heading, which is usually fine but misses the opportunity to provide search-engine-optimised descriptions.

Recommendation:
Add YAML frontmatter to new Agent Wallet pages, especially for pages with broad appeal like the Introduction and Quick Start.

SUGGESTION-4 — Potential Cross-Platform Issue: Windows Users in SKILLS QuickStart

Severity: Suggestion
Category: Documentation / Usability
File: docs/McpServer-Skills/SKILLS/QuickStart.md (lines ~59-78)

Description:
The SKILLS QuickStart "Option 2" private key configuration for Windows users instructs: "In the WSL terminal, type notepad.exe ~/.bashrc and press Enter." This assumes users have WSL installed. Many Windows users using AI tools (e.g., Claude Desktop for Windows) do not use WSL and have no ~/.bashrc. The instruction may confuse a significant portion of the target audience ("beginners" per the page's stated audience).

Recommendation:
Add a brief note clarifying that WSL is required for this approach, or provide an alternative for native Windows (e.g., setting the System Environment Variables via the Control Panel GUI).

SUGGESTION-5 — `react: "18"` vs `react-dom: "18"` — Exact Version String Should Use Semver

Severity: Suggestion
Category: Code Quality / Dependencies
File: package.json

Description:
The package.json specifies "react": "18" and "react-dom": "18". While npm resolves "18" to the latest 18.x.x release, standard semver practice is to use "^18.0.0" or "18.x" for clarity. This is a pre-existing issue not introduced by this PR but is visible in the changed file. The version bump from 1.2.3 to 1.2.4 is the only actual change to package.json.

Recommendation:
This is cosmetic and pre-existing. No action required from this PR.

Positive Observations

Critical CI Security Fix: The removal of the "Debug Docker Hub secrets" step that printed $DOCKERHUB_USERNAME and the token length to the Actions log is an important security improvement. Even though the token length does not directly expose credentials, username logging in CI output was unnecessary.
Consistent Single-Quote Security Guidance: Throughout the new Agent Wallet documentation (Intro, QuickStart, CLI Reference, SDK Guide, FAQ), the PR consistently and correctly instructs users to use single quotes when exporting passwords with special characters. Multiple explicit "caution" admonitions and code comments reinforce this. The fix to AGENT_WALLET_PASSWORD from double-quote to single-quote in the MCP Server deployment docs is correct.
Replacement of echo $AGENT_WALLET_PASSWORD with Safe Check: The [[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set" || echo "Password NOT set" pattern adopted in troubleshooting sections is excellent operational security hygiene. It verifies whether the variable is set without exposing the value.
AGENT_WALLET_DIR Path Fix: Changing export AGENT_WALLET_DIR="~/.agent-wallet" to export AGENT_WALLET_DIR="$HOME/.agent-wallet" is a genuine correctness fix — tilde expansion does not occur within double-quoted strings in POSIX shells.
Linking Internal Documentation: The PR improves cross-referencing by adding hyperlinks from MCP Server tool descriptions (ToolList.md), FAQ entries, and deployment guides to the new Agent Wallet documentation. This reduces documentation fragmentation.
Clear Dual-Lock Security Model: The Agent Wallet Intro.md and FAQ.md articulate the "physical file + password separation" security model clearly and at a level appropriate for the intended audience. The comparison table showing the difference between the traditional plaintext key approach and Agent Wallet is well done.
User-Friendly Content Tone: The rewrites of SKILLS Intro, Openclaw Intro, and SKILLS FAQ significantly improve accessibility for non-technical users without sacrificing accuracy for advanced users.
Comprehensive SDK Documentation: The SDK Guide and SDK Cookbook are detailed, include both TypeScript and Python examples, cover error handling with typed exceptions, and address real end-to-end transaction flows.

Checklist Results

Check	Result	Notes
Security: No hardcoded secrets	PASS	Debug step with credential logging removed
Security: Env var quoting guidance is safe	PARTIAL	Single-quote guidance is strong overall, but SKILLS QuickStart Option 2 uses double-quotes for TRON_PRIVATE_KEY
Security: Sensitive var values not echoed to console	PASS	Changed to existence-check pattern
CI: Workflow syntax valid	PASS	docker.yml is well-formed YAML
Correctness: All referenced files exist	PARTIAL	`npx add-mcp` and `npx skills add` reference packages not linked or documented
Correctness: Internal cross-links resolve	PARTIAL	CLI Reference anchor `#agent-wallet-reset-reset-all-data` resolves; OfficialServerAccess still in sidebar and still has content
Correctness: i18n sidebar in sync	FAIL	zh-Hans sidebar missing SKILLS/QuickStart entry
Documentation: New Agent Wallet section complete	PASS	Intro, QuickStart, CLI Reference, SDK Guide, SDK Cookbook, FAQ all present
Documentation: i18n translations present for new content	PASS	All new Agent Wallet and SKILLS files have zh-Hans counterparts
Documentation: Frontmatter present	PARTIAL	New Agent Wallet docs lack frontmatter; SUN FAQ retains it
Code Quality: No dead code	PASS	Removed `import Tabs` / `import TabItem` imports where tabs were removed
Testing: Documentation examples are runnable	PARTIAL	npx commands lack version pins; add-mcp / skills packages undocumented
Performance: Build impact	PASS	Only documentation content added, no code that affects build performance

Disclaimer

This report was generated by an automated AI code reviewer. All findings should be verified by a human reviewer before taking action. The AI reviewer focuses on the code changes between the specified branches only and does not have access to runtime environments, external services, or the full git history beyond the diff provided.

github-actions · 2026-03-23T13:27:22Z

Code Review Report

Project: x402-tron/docs
PR: main → update-mcp-server
Review Date: 2026-03-23
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	40
Files Changed	54
Lines Added	+5,256
Lines Removed	-2,636

Commit History (recent)

Hash	Message
`7fedc2e`	delete permanently
`b6621a6`	update skill and setup way
`590e69e`	update skills
`2248698`	update skill intro
`6295071`	update skill intro
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet

Review Summary

Verdict

Verdict: Request Changes

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	2	4	3

Summary

This PR is a substantial documentation overhaul with three main themes: (1) adding a brand-new Agent Wallet documentation section (6 new files + Chinese translations), (2) refactoring the MCP Server docs to be client-agnostic (replacing Claude Desktop / Claude Code / Cursor-specific tabs with generic instructions), and (3) rewriting the SKILLS section intro in a more consumer-friendly tone. A workflow fix also removes a security-sensitive debug step that was leaking Docker Hub credential metadata.

The quality of the new Agent Wallet documentation is high — security guidance is thorough and accurate. The client-agnostic direction for MCP Server docs is the right strategic move for a growing ecosystem. However, the refactoring of the local deployment guides has introduced two Major gaps: client configuration instructions were removed from both TRONMCPServer/LocalPrivatizedDeployment.md and SUNMCPServer/LocalPrivatizedDeployment.md, leaving users who successfully run the server with no guidance on how to actually connect an MCP client to it. Additionally, the SUN MCP Server QuickStart was replaced with a command (npx add-mcp) that is Claude Code-specific, breaking the flow for users of other clients.

Change Summary

1. CI/CD: GitHub Actions Workflow

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Branch trigger updated; debug secrets-printing step removed; `workflow_dispatch` comment added
`package.json`	Modified	Version bump `1.2.3` → `1.2.4`

Purpose: Remove a debug step that exposed Docker Hub credential metadata (DOCKERHUB_USERNAME value and DOCKERHUB_TOKEN length) and target the new branch for builds.

2. Navigation: Sidebar Updates

File	Change Type	Description
`sidebars.js`	Modified	New "Agent Wallet" top-level category; `SKILLS/QuickStart` added to SKILLS section
`i18n/zh-Hans/.../current/sidebars.js`	Modified	Same changes mirrored for Chinese locale
`i18n/zh-Hans/.../current.json`	Modified	New sidebar label translations added

Purpose: Wire up new documentation pages into the site navigation.

3. New Feature: Agent Wallet Documentation Section

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Overview of Agent Wallet — what it is, how it works, security model
`docs/Agent-Wallet/QuickStart.md`	Added	3-step setup guide
`docs/Agent-Wallet/FAQ.md`	Added	Security FAQ (218 lines) covering trust model, encryption, common errors
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Complete CLI command reference with security callouts
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript / Python SDK integration guide
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end runnable examples: TRON transfer, EVM transfer, x402 payment
`i18n/zh-Hans/...` ×6	Added	Full Chinese translations of all above

Purpose: Document the Agent Wallet tool comprehensively for end users and developers integrating the SDK.

4. MCP Server Docs: Client-Agnostic Refactor

File	Change Type	Description
`docs/McpServer-Skills/MCP/Intro.md`	Modified	Removed "e.g., Claude Code or Claude Desktop" from MCP Host definition
`docs/McpServer-Skills/MCP/SUNMCPServer/QuickStart.md`	Modified	Replaced per-client tabs with single `npx add-mcp` command
`docs/McpServer-Skills/MCP/SUNMCPServer/OfficialServerAccess.md`	Modified	Removed per-client config tabs; kept HTTP API section only
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	"Claude Desktop" → "MCP client"; `~/.claude` cache path generalized
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Removed client config step; "Step 3: Client Config" replaced with "Step 3: Server Running Methods"
`docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md`	Modified	Per-client tabs removed; generic `npx add-mcp` used
`docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md`	Modified	Removed per-client config tabs; kept HTTP API section
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Client references generalized
`docs/McpServer-Skills/MCP/TRONMCPServer/Intro.md`	Modified	Minor wording updates
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Minor wording updates
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	"Step 4: Client Configuration" entirely removed
`i18n/zh-Hans/...` (MCP files)	Modified	Chinese translations updated to match

Purpose: Make MCP Server documentation client-agnostic so it applies to any MCP-compatible tool, not just Claude Desktop / Claude Code / Cursor.

5. SKILLS Documentation Rewrite

File	Change Type	Description
`docs/McpServer-Skills/SKILLS/Intro.md`	Modified	Complete rewrite: technical architecture doc → consumer-friendly intro with examples
`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md`	Modified	Page title: "BANK OF AI Skills" → "Skill Catalog"; significant content restructure
`docs/McpServer-Skills/SKILLS/QuickStart.md`	Added	New quick-start page for SKILLS
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	FAQ updates
`i18n/zh-Hans/...` (SKILLS files)	Modified	Chinese translations updated

Purpose: Reposition SKILLS docs from a developer-oriented technical reference to a more accessible consumer-facing guide.

6. Openclaw Extension Docs

File	Change Type	Description
`docs/Openclaw-extension/Intro.md`	Modified	Expanded intro content
`docs/Openclaw-extension/QuickStart.md`	Modified	Rewritten quick-start steps
`docs/Openclaw-extension/FAQ.md`	Modified	Significant FAQ reduction and rewording
`i18n/zh-Hans/...` (Openclaw files)	Modified	Chinese translations updated

Purpose: Refresh and streamline Openclaw extension documentation.

Detailed Findings

Major

[MJ-01] Local Deployment Guide Missing Client Configuration (TRON MCP Server)

Property	Value
Severity	Major
Category	Documentation
File	`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`

Description

The PR removes "Step 4: Client Configuration" entirely from the TRON MCP Server local deployment guide. The removed step contained concrete configuration examples for Claude Desktop (claude_desktop_config.json), Claude Code (claude mcp add), and Cursor (.cursor/mcp.json). After this change, the guide walks a user through installing dependencies, configuring their wallet, and building the server — then stops. There is no instruction on how to connect any MCP client to the local server. A user who completes the guide will have a running server but no way to use it.

Code (removed from diff):

-### Step 4: Client Configuration
-
-With environment variables set and installation done, now point your AI client to the local server.
-
-#### Add Server Definition
-
-<Tabs>
-<TabItem value="npx" label="Option A: npx Run (Recommended)">
-   ...Claude Desktop, Claude Code, Cursor configs shown...
-</TabItem>
-<TabItem value="local" label="Option B: Local Source Code">
-   ...Claude Desktop config for local source path...
-</TabItem>
-</Tabs>

Recommendation

Restore a client configuration step that is consistent with the new client-agnostic direction. Since the goal is to avoid tool-specific tabs, a minimal generic version would suffice:

### Step 4: Connect Your MCP Client

Run the server and register it with your MCP client. The exact method depends on your client — consult your client's documentation for adding a `stdio` server. Common approaches:

**Using `npx` (any client that supports stdio MCP servers):**
```json
{
  "mcpServers": {
    "mcp-server-tron": {
      "command": "npx",
      "args": ["-y", "@bankofai/mcp-server-tron"]
    }
  }
}

After adding the configuration, restart your MCP client.


---

#### [MJ-02] Local Deployment Guide Missing Client Configuration (SUN MCP Server)

| Property | Value |
|----------|-------|
| **Severity** | Major |
| **Category** | Documentation |
| **File** | `docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md` |

**Description**

The same issue as MJ-01 affects the SUN MCP Server local deployment guide. The original "Step 3: Client Configuration" section — which showed users how to configure their AI client to point at the running local server — was replaced entirely with "Step 3: Server Running Methods," which only explains how to run the server via `npx` or from source. The client-side wiring instructions are completely absent. A user completing the guide will have the server running but won't know how to connect their MCP client to it.

**Code (diff excerpt):**

```diff
-### Step 3: Client Configuration
-
-After configuration is complete, you need to add the connection definition of SUN MCP Server
-in your AI client.
-
-#### Find Configuration File
-
-| Client | Configuration File Path |
-...
-#### Add Server Definition
-...
+### Step 3: Server Running Methods
+
+After wallet configuration is complete, you can run the server using one of the following methods:

Recommendation

After the "Server Running Methods" section, add a "Step 4: Connect Your MCP Client" section with at minimum a generic JSON snippet showing how to register the running server as an MCP stdio server, and a pointer to each client's docs for specifics.

Minor

[MN-01] QuickStart Uses Claude Code-Specific `npx add-mcp` Command

Property	Value
Severity	Minor
Category	Documentation
File	`docs/McpServer-Skills/MCP/SUNMCPServer/QuickStart.md` : line ~25

Description

The SUN MCP QuickStart was changed from a tabbed guide (one tab each for Claude Desktop, Claude Code, Cursor) to a single command:

-<Tabs>
-<TabItem value="claude-desktop" label="Claude Desktop">
-  ...
-</TabItem>
-<TabItem value="claude-code" label="Claude Code">
-  Run the following command in the terminal to add SUN MCP Server:
-  ```bash
-  claude mcp add --transport http sun-mcp-server https://sun-mcp-server.bankofai.io/mcp
-  ```
-</TabItem>
-...
+Run the following command in the terminal to add SUN MCP Server:
+
+```bash
+npx add-mcp @bankofai/sun-mcp-server
+```
+After the command completes, restart your MCP client.

npx add-mcp is a package provided by Anthropic that is designed specifically for Claude Code's MCP management. Users of Claude Desktop, Cursor, or other generic MCP clients will not benefit from this command and may be confused when it doesn't register the server in their client. This contradicts the PR's stated goal of being client-agnostic.

Recommendation

Replace or supplement the npx add-mcp command with the more universal JSON snippet approach, or add a note that this command targets Claude Code specifically and link to generic HTTP configuration for other clients:

**For Claude Code users:**
```bash
npx add-mcp @bankofai/sun-mcp-server

For other MCP clients, add this to your client's MCP server configuration:

{
  "mcpServers": {
    "sun-mcp-server": {
      "command": "npx",
      "args": ["mcp-remote", "https://sun-mcp-server.bankofai.io/mcp"]
    }
  }
}


---

#### [MN-02] TRON QuickStart Also Uses `npx add-mcp` Without Alternate Instructions

| Property | Value |
|----------|-------|
| **Severity** | Minor |
| **Category** | Documentation |
| **File** | `docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md` |

**Description**

Same issue as MN-01 — the TRON MCP Server QuickStart was also simplified to `npx add-mcp @bankofai/mcp-server-tron` as the sole installation method. Users of non-Claude Code clients receive no usable guidance.

**Recommendation**

Apply the same fix as MN-01: provide a generic JSON configuration block alongside or instead of the `npx add-mcp` command.

---

#### [MN-03] `workflow_dispatch` Is Now Truly Unrestricted — Comment Is Correct but Warrants Awareness

| Property | Value |
|----------|-------|
| **Severity** | Minor |
| **Category** | Compatibility / Observability |
| **File** | `.github/workflows/docker.yml` : line 16 |

**Description**

```diff
-  workflow_dispatch:
+  workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

workflow_dispatch without branch restrictions allows any repository collaborator with write access to manually trigger a Docker image build from any branch. The comment correctly documents the intent. However, this could lead to unintended image builds from experimental or insecure branches being pushed to Docker Hub if access control is not tight. This is a low-risk observation given the explicit comment, but worth noting for future security reviews.

Recommendation

Consider restricting image publication to only protected branches by checking github.ref in the push step:

- name: Build and push Docker image
  if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')
  ...

This way manual workflow_dispatch builds can still be triggered (for testing) but images are only published from main/master.

[MN-04] Hardcoded Example Password Unchanged in CLI-Reference Code Block

Property	Value
Severity	Minor
Category	Documentation / Security
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : lines ~30–35, ~170

Description

The new CLI Reference uses Abc12345! as the example password throughout multiple code blocks:

agent-wallet start -p Abc12345!
agent-wallet start -p Abc12345! -k your-private-key-hex
agent-wallet sign msg "Hello" -n tron -p 'Abc12345!'

While this is a documentation example (not a hardcoded secret), using a specific-looking password like Abc12345! that satisfies common password policies could lead less experienced users to adopt it as a template, choosing something very close to it (e.g., Abc12345@, Abc12345#) for their real wallets. The same page correctly warns against the -p inline approach in production — the example value is fine in that context, but could be made more obviously synthetic.

Recommendation

Replace with a clearly placeholder value such as YourP@ssw0rd! or <your-password> (noting that <> cannot be used in bash without escaping) to reduce the chance of users treating it as a secure template:

agent-wallet start -p 'YourStr0ngP@ss!'

Suggestions

[S-01] SKILLS/Intro.md: Technical Architecture Details Removed

File: docs/McpServer-Skills/SKILLS/Intro.md

Description: The previous version of Intro.md contained a detailed technical explanation of the three-tier progressive loading architecture (Shelf Index → Operation Manual → Tool Execution), the difference between Skills and MCP Server, and the explicit/implicit invocation modes. All of this was replaced with consumer-facing marketing content. Developers looking to understand how Skills work technically or looking to build/integrate Skills will have no reference point.

Suggestion: Consider adding a separate "For Developers" or "Architecture" page under SKILLS that preserves the technical content. The consumer-friendly intro is appropriate for new users, but the prior technical content was valuable for contributors and integrators.

[S-02] `OfficialServerAccess.md` Pages No Longer Cover Client Configuration

File: docs/McpServer-Skills/MCP/SUNMCPServer/OfficialServerAccess.md, docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md

Description: Both OfficialServerAccess.md files now only contain HTTP API documentation (the former "Generic HTTP Call" tab). The per-client configuration (Claude Desktop, Claude Code, Cursor) was removed. This means the only way to learn how to configure a specific client is through the QuickStart pages, which themselves only cover npx add-mcp (Claude Code). The OfficialServerAccess page is a natural destination for users who want to configure a cloud connection in their specific client, but that information no longer exists anywhere in the docs.

Suggestion: Either add a brief generic MCP client configuration section to each OfficialServerAccess.md, or add a prominent link to a dedicated "MCP Client Setup" guide that gives configuration examples for major clients (Claude Desktop, Cursor, etc.).

[S-03] Chinese (zh-Hans) i18n Files Should Be Reviewed for Accuracy

File: i18n/zh-Hans/docusaurus-plugin-content-docs/current/ (27 files changed)

Description: All English documentation changes were propagated to zh-Hans translations. Given the volume (27 files, thousands of lines), it is not possible to verify translation accuracy in this review. The translations may contain automated-translation artifacts, particularly in the new Agent Wallet and SDK Cookbook sections which include highly technical content (encryption algorithms, Keystore V3, scrypt, EIP-712, etc.).

Suggestion: Have a native Chinese speaker review at minimum the new Agent Wallet documentation translations before merge, especially security-sensitive sections (FAQ security answers, CLI Reference danger/caution callouts).

Positive Observations

Area	Observation
Security fix	The debug step in `docker.yml` that printed `echo "username=[$DOCKERHUB_USERNAME]"` and token length was removed — this was a data-leak risk in CI logs and its removal is correct.
Password quoting	`AGENT_WALLET_PASSWORD='<your-master-password>'` correctly changed from double to single quotes in LocalPrivatizedDeployment guides — prevents shell expansion of special characters in passwords.
`$HOME` vs `~`	`AGENT_WALLET_DIR="$HOME/.agent-wallet"` correctly replaces `"~/.agent-wallet"` — tilde is not reliably expanded in double-quoted strings.
Agent Wallet security docs	The new CLI Reference, FAQ, and SDK Guide contain thorough, accurate security warnings: `raw_secret` dangers, shell history leakage via `-p`, `runtime_secrets.json` risks, dual-lock threat model explanation. These are well-written and technically accurate.
Agent Wallet SDK Cookbook	The end-to-end examples (TRON transfer, EVM transfer, x402 payment) include address mismatch validation, JSON parse error handling, and missing field checks that go beyond minimal examples — good defensive coding practice demonstrated.
Client-agnostic direction	Replacing hard-coded "Claude Desktop" references with "MCP client" throughout FAQs and intros is the right long-term direction for a growing multi-client ecosystem.
Links updated	External GitHub link to agent-wallet docs replaced with internal `/Agent-Wallet/Intro` link — better for keeping users within the documentation site.
Version bump	`package.json` version correctly incremented from 1.2.3 → 1.2.4 alongside the documentation changes.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	8	7	1	0	QuickStart `npx add-mcp` only works for Claude Code (MN-01, MN-02)
Security	10	9	0	1	Docker debug step removed (positive). No secrets/tokens in new docs.
Performance	7	0	0	7	No runtime code changes
Code Quality	8	7	0	1	`$HOME` fix, single-quote fix applied correctly
Testing	7	0	0	7	Documentation-only changes
Documentation	6	4	2	0	Missing client config in local deployment guides (MJ-01, MJ-02)
Compatibility	5	3	1	1	`workflow_dispatch` unrestricted (MN-03); `npx add-mcp` client-specific (MN-01)
Observability	4	3	0	1	`workflow_dispatch` comment added for intent clarity

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between main and update-mcp-server. Runtime behavior, integration testing, and deployment impact are not covered. Chinese translation accuracy was not verified.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-23

github-actions · 2026-03-23T15:54:33Z

Code Review Report

Project: x402-tron/docs (BofAI Documentation Site)
PR: main → update-mcp-server
Review Date: 2026-03-23
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	40
Files Changed	54
Lines Added	+5,253
Lines Removed	-2,942

Commit History (Recent)

Hash	Message
`249c43b`	Update Official Cloud Service MCP Usage Steps
`7fedc2e`	delete permanently
`b6621a6`	update skill and setup way
`590e69e`	update skills
`2248698`	update skill intro
`6295071`	update skill intro
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server

Review Summary

Verdict

Verdict: Request Changes

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	2	4	3

Summary

This PR is primarily a documentation overhaul for the BofAI Docusaurus site, with one CI workflow change and a version bump. The changes deliver three major goals: (1) adding a new "Agent Wallet" documentation section with six new files covering intro, quick start, FAQ, CLI reference, SDK guide, and cookbook; (2) significantly simplifying MCP server setup instructions for both TRON and SUN servers, moving from per-client tabbed configurations to a streamlined single-command approach; and (3) rewriting the SKILLS documentation with a new QuickStart page.

The CI change is a genuine security improvement — it removes a debug step that was leaking Docker Hub credentials to CI logs. The documentation changes also incorporate several important security fixes: shell quoting improvements for passwords and tilde expansion corrections for paths.

The two Major concerns both relate to undocumented npx commands pointing to packages with unclear provenance (add-mcp and skills). Users are being instructed to execute code without any indication of what npm package is being invoked, which is both a potential supply chain risk and a UX failure that will likely cause errors. These must be resolved before merge.

Change Summary

1. CI/CD Workflow Update

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Swap branch trigger from `ai-bankofai-patch-1` to `update-mcp-server`; remove credentials debug step; annotate `workflow_dispatch`

Purpose: Keep the Docker build CI aligned with the active development branch; remove a credential-leaking debug step accidentally left in production.

2. Package Version Bump

File	Change Type	Description
`package.json`	Modified	Version `1.2.3` → `1.2.4`

Purpose: Semver bump associated with this documentation release.

3. New Agent Wallet Documentation Section

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Conceptual intro: private-key risk, dual-lock architecture
`docs/Agent-Wallet/QuickStart.md`	Added	Three-command quick start for CLI setup
`docs/Agent-Wallet/FAQ.md`	Added	Comprehensive FAQ covering security, usage, cross-language support
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Full CLI reference with examples
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript/Python SDK usage guide
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	Ready-to-use SDK code recipes
`sidebars.js` + i18n counterpart	Modified	Added "Agent Wallet" navigation category

Purpose: Introduce Agent Wallet as a standalone documentation section, replacing scattered install instructions in MCP server docs with a centralised reference.

4. MCP Server Documentation Simplification

File	Change Type	Description
`docs/McpServer-Skills/MCP/SUNMCPServer/OfficialServerAccess.md`	Modified	Replaced multi-tab client-specific config blocks with single `npx add-mcp` command
`docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md`	Modified	Same simplification
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Removed per-client JSON snippets; restructured deployment steps; referenced Agent Wallet docs
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Same simplification
`docs/McpServer-Skills/MCP/SUNMCPServer/QuickStart.md`	Modified	Removed per-client tabs; replaced with generic `npx` install instruction
`docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md`	Modified	Same
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Updated troubleshooting steps; replaced `echo $AGENT_WALLET_PASSWORD` with safe existence check
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Same; removed hardcoded JSON multi-server example
`docs/McpServer-Skills/MCP/Intro.md`	Modified	Removed "Claude Code or Claude Desktop" client-specific references
`docs/McpServer-Skills/MCP/TRONMCPServer/Intro.md`	Modified	Same
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Added hyperlinks from `list_wallets`/`select_wallet` to Agent Wallet docs
i18n counterparts (all above)	Modified	Mirror all changes for English locale

Purpose: Reduce maintenance burden of per-client configuration examples; align with new Agent Wallet documentation hub; make docs client-agnostic.

5. SKILLS Documentation Rewrite

File	Change Type	Description
`docs/McpServer-Skills/SKILLS/QuickStart.md`	Added	New quick-start guide using `npx skills add`
`docs/McpServer-Skills/SKILLS/Intro.md`	Modified	Substantially rewritten for a simplified tone
`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md`	Modified	Rewritten as a "Skill Catalog" with copy-paste prompts
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Updated troubleshooting language
`sidebars.js` + i18n counterpart	Modified	Added `QuickStart` entry to SKILLS navigation

Purpose: Move SKILLS onboarding to a simpler UX: copy a prompt, hit enter, done.

6. Openclaw Extension Documentation Rewrite

File	Change Type	Description
`docs/Openclaw-extension/FAQ.md`	Modified	Simplified from detailed technical troubleshooting to plain-language guidance
`docs/Openclaw-extension/Intro.md`	Modified	Updated content
`docs/Openclaw-extension/QuickStart.md`	Modified	Updated content
i18n counterparts	Modified	Mirror all changes

Purpose: Lower barrier to entry by replacing advanced technical troubleshooting with plain-language guidance.

Detailed Findings

Major

[MJ-01] `npx add-mcp` — Unresolvable or Unverified npm Package

Property	Value
Severity	Major
Category	Security / Correctness
File	`docs/McpServer-Skills/MCP/SUNMCPServer/OfficialServerAccess.md` : Lines 26–28; `docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md` : same section; plus all i18n counterparts

Description

Both OfficialServerAccess.md files now instruct users to connect to the cloud MCP server with a single command:
npx add-mcp https://sun-mcp-server.bankofai.io/mcp
# or
npx add-mcp https://tron-mcp-server.bankofai.io/mcp
add-mcp is not a well-known or verified npm package. The old implementation used mcp-remote (a documented package). The new add-mcp package name is ambiguous:

If no such package exists on npm, users will receive npm ERR! 404 and the documentation becomes broken.

If the package does exist but is maintained by a third party, users are being instructed to execute unvetted third-party code with no package scope (e.g., no @bankofai/add-mcp), exposing them to a supply chain attack if the name is squatted.

There is no explanation in the documentation of what add-mcp is, where it comes from, or what it does — violating the principle of minimum surprise for security-sensitive operations involving wallets and on-chain assets.

Code

Simply tell your AI Agent to execute the following command:

```bash
npx add-mcp https://sun-mcp-server.bankofai.io/mcp


**Recommendation**

Use a scoped package name and link to its source so users can verify it before running. If `add-mcp` is an internal/official tool:
```bash
# Use scoped name with verified provenance
npx @bankofai/add-mcp https://sun-mcp-server.bankofai.io/mcp

Alternatively, if the intention is to use the official @modelcontextprotocol/add-mcp CLI, reference that explicitly. Add a note such as: "add-mcp is published at [npm link] and maintained by [org]."

[MJ-02] `npx skills add` — Unresolvable or Unverified npm Package

Property	Value
Severity	Major
Category	Security / Correctness
File	`docs/McpServer-Skills/SKILLS/QuickStart.md` : Lines 17–19; i18n counterpart

Description

The new SKILLS/QuickStart.md instructs users to install all BANK OF AI skills with:
npx skills add https://github.com/BofAI/skills
skills is not a standard or published npm package. As written, npx skills add ... will fail with "command not found" for any user who does not already have a skills binary on their PATH. The documentation provides no context for where this command comes from.

Beyond the broken UX, if a malicious skills package is published to npm before the official one, any user following these instructions would execute attacker-controlled code. This is particularly concerning because the SKILLS system is described as managing wallets that hold real on-chain assets.

Code

```bash
npx skills add https://github.com/BofAI/skills

A bunch of text will scroll across the screen — you can ignore it.


**Recommendation**

Either (a) use a fully scoped package name that is already published:
```bash
npx @bankofai/skills add https://github.com/BofAI/skills

Or (b) if skills is a CLI that users install globally as part of the Agent Wallet or OpenClaw setup flow, point to that prerequisite step explicitly before listing this command. Add a link to the package's npm page for user verification.

Minor

[MN-01] `workflow_dispatch` Unrestricted — Any Branch Can Trigger Docker Hub Push

Property	Value
Severity	Minor
Category	Security
File	`.github/workflows/docker.yml` : Line 13

Description

The workflow comment added in this PR explicitly documents the intent: "Intentionally unrestricted — allows manual builds from any branch for flexibility."

When workflow_dispatch is unrestricted and github.event_name != 'pull_request' is the only gate for the Docker Hub push, any repository member with workflow_dispatch permission can push an image built from an arbitrary branch (including feature branches containing experimental or broken changes) directly to the production bankofai/docs Docker Hub image. In a small trusted team this may be acceptable, but it is an architectural risk worth tracking.

Code

  workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

Recommendation

Add an environment-based restriction or branch guard for the push step, so that manual workflow_dispatch runs can still build locally but only push to Docker Hub when triggered on main or master:

- name: Build and push Docker image
  if: github.event_name != 'pull_request' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master' || github.event_name == 'push')

If unrestricted manual pushes are truly desired, document this risk in the repository's security policy.

[MN-02] `LocalPrivatizedDeployment` Step Numbers Inconsistent After Restructure

Property	Value
Severity	Minor
Category	Documentation / Correctness
File	`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md` : Step numbering section

Description

In the TRON LocalPrivatizedDeployment.md, after removing Step 4 (Client Configuration) and renaming the old Step 5 to Step 4, the section that was "Step 4: Client Configuration" is now missing. However, the restructured document still refers to "Step 4: Verify Connection" without a preceding "Step 4: Client Configuration" — users are left to find client configuration guidance from the brief inline note. Specifically, the step ordering jumps:

Step 1: Prerequisites

Step 2: Choose wallet type

Step 3: Clone and build (old Step 3 retained)

(missing: explicit client configuration step)

Step 4: Verify Connection (previously Step 5)

This is a usability issue that may leave users unable to connect.

Recommendation

Either restore a concise Step 4 covering the most common client configuration pattern, or renumber accurately and add a clear cross-reference:

### Step 4: Connect Your MCP Client
For step-by-step client configuration instructions, refer to your MCP client's documentation.
A quick reference for common clients:
- **Claude Code**: `claude mcp add mcp-server-tron -- npx -y @bankofai/mcp-server-tron`
- **Other clients**: Point to the server command `npx -y @bankofai/mcp-server-tron`

[MN-03] `CLI-Reference.md` — Inline `-p` Password Caution Is Insufficient

Property	Value
Severity	Minor
Category	Security / Documentation
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : ~Lines 37–43

Description

The CLI Reference correctly warns that agent-wallet start -p Abc12345! records the password in shell history, and recommends using interactive mode or the AGENT_WALLET_PASSWORD env var. However, it then immediately shows code examples using -p Abc12345! in multiple places, including import-key and import-mnemonic examples. The example password Abc12345! is also a weak sample that users may copy verbatim.

Additionally, the :::caution block warns about shell history but doesn't mention that the password also appears in process listings (ps aux) while the command runs — a risk in multi-user environments.

Code

agent-wallet start -p Abc12345!
# ...
agent-wallet start -p Abc12345! -k your-private-key-hex
agent-wallet start -p Abc12345! -m "word1 word2 word3 ..."

Recommendation

Replace the inline -p Abc12345! examples with $AGENT_WALLET_PASSWORD or $(read -s -p "Password: " pw && echo "$pw") to demonstrate the secure pattern:

# Secure: read password from environment variable
AGENT_WALLET_PASSWORD="$AGENT_WALLET_PASSWORD" agent-wallet start

# Or: use interactive mode and let the tool prompt
agent-wallet start

If -p examples are kept for illustration, use a placeholder that is obviously not a real password (e.g., <YOUR_STRONG_PASSWORD>) rather than a realistic-looking value.

[MN-04] FAQ Inconsistency — `agent-wallet reset` vs `agent-wallet init` Cross-Referenced

Property	Value
Severity	Minor
Category	Documentation / Correctness
File	`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md` : ~Line 96; `docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md` : ~Line 143

Description

The new FAQ text correctly uses agent-wallet reset (the new command name) and cross-links to the CLI Reference. However, the old TRON FAQ still contained a reference to agent-wallet init that was replaced in this PR. The replacement is correct, but the SUN and TRON FAQs link to an anchor #agent-wallet-reset-reset-all-data in the CLI Reference. If the CLI Reference's actual heading text differs from this anchor, users will land on a broken link. The anchor was not verified to exist in the generated CLI-Reference.md content.

Recommendation

Verify the heading in CLI-Reference.md generates the anchor agent-wallet-reset-reset-all-data correctly. If the heading is ## \agent-wallet reset` (Reset All Data), Docusaurus would generate #agent-wallet-reset-reset-all-data. Confirm this and add an automated link-check step or use the Docusaurus ` anchor tag to guarantee stability.

Suggestions

[S-01] Parallel i18n Maintenance is Error-Prone

File: i18n/en/docusaurus-plugin-content-docs/current/ (all files)

Description: Every documentation file exists in two copies: docs/ and i18n/en/docusaurus-plugin-content-docs/current/. This PR correctly updated both, but the duplication is a maintenance liability — a future PR touching one but not the other will silently create documentation drift. The diff shows several minor inconsistencies between the two copies (e.g., minor line count differences in some files).

Suggestion: Evaluate whether the i18n English copy could be configured as a symlink or re-exported from the canonical docs/ directory, reducing the surface area for drift. Alternatively, add a CI lint step that diffs docs/ against i18n/en/.../current/ and alerts on divergence.

[S-02] `raw_secret` Wallet Type Visibility Risk

File: docs/Agent-Wallet/Developer/CLI-Reference.md : ~Lines 21–28

Description: The interactive wizard for agent-wallet start surfaces raw_secret as an option, which stores keys unencrypted. The CLI Reference warns users with a :::danger admonition, which is appropriate. However, docs/Agent-Wallet/FAQ.md includes a comparison table showing raw_secret alongside local_secure, which may normalise the option for casual readers.

Suggestion: In FAQ.md, rename the comparison header from "What's the difference between local_secure and raw_secret?" to "Why you should never use raw_secret" to frame it as a discouragement, not a feature comparison. Alternatively, remove raw_secret from the comparison table entirely and only mention it in the developer CLI Reference with the existing danger callout.

[S-03] Missing Security Warning on `AGENT_WALLET_DIR="$HOME/.agent-wallet"` Default Visibility

File: docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md : ~Lines 72–75; docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md : same

Description: The env-var block correctly fixed ~/.agent-wallet to $HOME/.agent-wallet (tilde does not expand inside double-quoted assignment). However, neither location notes that the wallet directory itself ($HOME/.agent-wallet/) is only protected by filesystem permissions. If the home directory is world-readable, or if backup tools copy it to cloud storage, the encrypted keystore file could be exfiltrated.

Suggestion: Add a brief :::tip note such as: "Ensure your wallet directory has restricted permissions: chmod 700 ~/.agent-wallet. If you use cloud backup tools (Dropbox, Time Machine, etc.), exclude ~/.agent-wallet from sync."

Positive Observations

Area	Observation
Security fix: credentials in CI	`docker.yml` removes the `Debug Docker Hub secrets` step that was printing `username=[...]` and `token_length=...` to CI logs — a real credential hygiene improvement.
Shell quoting hardening	All three `LocalPrivatizedDeployment.md` files (TRON, SUN, and i18n copies) correctly changed `export AGENT_WALLET_PASSWORD="..."` to single quotes, preventing unexpected shell expansion of `$`, `!`, and backtick characters in passwords — a direct fix for an elevated security risk.
Tilde expansion fix	`AGENT_WALLET_DIR="~/.agent-wallet"` → `AGENT_WALLET_DIR="$HOME/.agent-wallet"` is technically correct; tilde `~` does not expand inside double-quoted assignment strings in bash, so the old default path would have been set literally as `~/.agent-wallet`.
Safe password existence check	FAQs replaced `echo $AGENT_WALLET_PASSWORD` (which prints the password to the terminal) with `[[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set"` — a best practice that confirms configuration without exposing the credential.
Client-agnostic language	Removing Claude Desktop / Cursor / Cursor-specific config tabs reduces per-client maintenance burden and makes the docs more future-proof as new MCP clients emerge.
Centralised Agent Wallet reference	Replacing repeated inline install instructions with a link to `../../../Agent-Wallet/Intro` is a clean single-source-of-truth approach that will be easier to keep accurate.
Danger callout for `raw_secret`	The CLI Reference uses `:::danger` to clearly discourage use of the `raw_secret` wallet type for real funds — strong and appropriately placed.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	8	6	2	0	`npx add-mcp` / `npx skills add` may fail; step numbering gap in TRON local deployment
Security	10	8	2	0	Unverified npx packages (MJ-01, MJ-02); otherwise improved over main
Performance	7	0	0	7	No runtime code changed
Code Quality	10	8	2	0	i18n duplication risk; CLI examples show insecure password flag pattern
Testing	7	0	0	7	Documentation-only changes
Documentation	6	4	2	0	New Agent Wallet section comprehensive; two broken/unverified anchor links
Compatibility	5	5	0	0	Docusaurus config additions are additive; no breaking changes
Observability	4	0	0	4	No runtime code changed

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between the specified branches. Runtime behavior, integration testing, and deployment impact are not covered. The npx add-mcp and npx skills add package concerns (MJ-01, MJ-02) should be validated against the actual npm registry and the team's intended package publishing strategy before this PR is merged.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-23

github-actions · 2026-03-24T07:31:20Z

Code Review Report

Project: BofAI/docs (x402-tron documentation site)
PR: main -> update-mcp-server
Review Date: 2026-03-24
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	45
Files Changed	54
Lines Added	+5608
Lines Removed	-2930

Commit History

Hash	Message
`b9fb0cc`	update setup process
`4c3b71b`	fix
`65940fe`	add restart ai agnet
`6b6423b`	delete tron mcp server trongrid
`249c43b`	Update Official Cloud Service MCP Usage Steps
`7fedc2e`	delete permanently
`b6621a6`	update skill and setup way
`590e69e`	update skills
`2248698`	update skill intro
`6295071`	update skill intro
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet
`1ec9118`	fix
`4dff899`	fix new major audio issues
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal
`b92448f`	fix audio new issues
`ee9c759`	fix audio issues
`5e9152b`	fix audio report issue
`bafd81b`	fix audit suggestion
`b8ea082`	fix
`cf49298`	fix
`b1bfecd`	update
`bc4a8f0`	fix
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update
`1ebd798`	Merge branch 'main' into update-mcp-server
`822bdae`	fix
`224d32d`	fiix
`3b87508`	fix
`824c0d7`	fix
`17c1057`	fix
`47b8030`	fxi
`7fe32d7`	Merge pull request #28 from BofAI/ai-bankofai-patch-1
`2e02cab`	fix
`5dfcb8a`	fix
`a541e97`	fix
`956060e`	fix
`e5f417e`	fix
`fb1737f`	Merge pull request #26 from BofAI/ai-bankofai-patch-1
`24cf00e`	fix

Review Summary

Verdict

Verdict: Approve (with minor suggestions)

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	1	4	5

Summary

This PR makes substantial improvements to the BANK OF AI documentation site. The primary focus is the introduction of a brand-new Agent-Wallet documentation section (6 new files totalling approximately 1,958 lines) covering the secure local wallet product, alongside a pervasive rework of the MCP Server and SKILLS documentation to adopt a simplified, client-agnostic installation flow using npx add-mcp instead of per-client JSON configuration snippets.

The security guidance throughout the new Agent-Wallet documentation is exemplary — it correctly advises using single-quoted shell assignments to prevent variable interpolation, cautions against echo-based shell-history exposure, and provides careful raw_secret vs local_secure comparisons. The removal of the debug step that printed Docker Hub credentials to CI logs is a direct security improvement. A previous concern about instructing users to echo $AGENT_WALLET_PASSWORD appears to have already been addressed by earlier commits on this branch (commit 26ff9f5).

One major documentation issue stands out: the SKILLS QuickStart.md still instructs users via Option 2 to add TRON_PRIVATE_KEY using double-quoted shell syntax (export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"), which is inconsistent with — and contradicts — the single-quote guidance enforced everywhere else in the PR. This creates a subtle but real security risk for users with special characters in their keys. Several minor issues also exist: the workflow_dispatch comment is mildly inaccurate, the SUNMCPServer LocalPrivatizedDeployment.md numbering jumps from Step 3 to Step 5, a broken relative Docusaurus link appears in one location, and two files use Windows-oriented instructions on a page claiming Linux support. None of these are blocking, but the double-quote inconsistency should be corrected before merge.

Change Summary

1. CI/CD Workflow (`.github/workflows/docker.yml`)

Modified. Replaced the ai-bankofai-patch-1 branch with update-mcp-server in push/PR triggers.
Removed the "Debug Docker Hub secrets" step that echoed the Docker Hub username and token length to the CI log — a security improvement.
Added a comment to workflow_dispatch explaining why it is unrestricted.

2. New Agent-Wallet Documentation Section (7 new files)

docs/Agent-Wallet/Intro.md — Concept page explaining the dual-lock security model.
docs/Agent-Wallet/QuickStart.md — Step-by-step setup guide.
docs/Agent-Wallet/FAQ.md — Q&A covering security, password recovery, OS support, and wallet types.
docs/Agent-Wallet/Developer/CLI-Reference.md — Full reference for every agent-wallet CLI command.
docs/Agent-Wallet/Developer/SDK-Guide.md — TypeScript/Python SDK integration guide.
docs/Agent-Wallet/Developer/SDK-Cookbook.md — Complete runnable examples for TRON transfer, BSC/EVM transfer, and x402 payment.
Corresponding mirror copies in i18n/en/docusaurus-plugin-content-docs/current/Agent-Wallet/.

3. MCP Server Documentation — Client-Agnostic Refactor

TRONMCPServer/QuickStart.md and SUNMCPServer/QuickStart.md: Replaced per-client tabbed JSON snippets with a single npx add-mcp <url> command.
TRONMCPServer/OfficialServerAccess.md and SUNMCPServer/OfficialServerAccess.md: Removed tab-based multi-client configs; replaced with an npx add-mcp walkthrough with illustrated terminal output.
TRONMCPServer/LocalPrivatizedDeployment.md and SUNMCPServer/LocalPrivatizedDeployment.md: Removed detailed per-client JSON config blocks; replaced with generic configuration notes and three server-launch options. Updated environment variable examples to use single quotes and $HOME instead of ~ for AGENT_WALLET_DIR.
TRONMCPServer/FAQ.md: Generalised Claude Desktop-specific troubleshooting to generic MCP client wording. Updated password-incorrect guidance to reference agent-wallet start (not agent-wallet init) and link to the new CLI Reference.
TRONMCPServer/Intro.md and TRONMCPServer/ToolList.md: Minor wording cleanup; list_wallets and select_wallet tool descriptions now hyperlink to Agent-Wallet docs.

4. SKILLS Documentation Rework

SKILLS/Intro.md: Rewritten from a technical architecture explanation to a marketing-oriented intro with scenario comparisons.
SKILLS/BANKOFAISkill.md: Restructured from a developer reference to a user-facing "Skill Catalog" with natural-language sample prompts for each skill.
SKILLS/Faq.md: Major reorganisation: reordered from developer-first to user-first priority, expanded safety section.
SKILLS/QuickStart.md: New file. Two-step quick-start: npx skills add then chat.

5. Openclaw Extension Documentation

Openclaw-extension/Intro.md: Rewritten in a friendlier, marketing tone.
Openclaw-extension/QuickStart.md: Gamified into "level" language; removed detailed phase-by-phase breakdown.
Openclaw-extension/FAQ.md: Significantly condensed; removed many technical troubleshooting items.

6. Navigation

sidebars.js and its i18n mirror: Added SKILLS/QuickStart entry and the entire Agent Wallet category with sub-items for Intro, QuickStart, Developer section, and FAQ.

7. Package Version

package.json: Version bumped from 1.2.3 to 1.2.4.

Detailed Findings

Finding 1 — Double-Quoted Shell Export in SKILLS QuickStart (Major)

File: docs/McpServer-Skills/SKILLS/QuickStart.md (and its i18n mirror)
Severity: Major
Category: Documentation / Security Guidance Consistency

Code evidence:

export TRON_PRIVATE_KEY="your_real_or_testnet_private_key"

This appears under "Option 2: Paste Your Private Key Directly," with the inline note "⚠️ Important: Don't forget the double quotes on both sides!"

Problem: Every other location in this PR that teaches users to write a sensitive value to their shell config — AGENT_WALLET_PASSWORD, AGENT_WALLET_DIR, and credential examples in CLI-Reference.md, QuickStart.md, Faq.md, LocalPrivatizedDeployment.md, and SDK-Cookbook.md — explicitly uses single quotes and explains that double quotes cause shell variable expansion that silently corrupts values containing $, !, and other special characters. This one location does the opposite: it instructs users to use double quotes and emphasises them as mandatory. A private key is a hexadecimal string and therefore cannot contain $, so the functional risk here is low, but the inconsistency directly contradicts the single-quote guidance taught everywhere else. Users who learn the double-quote pattern here will apply it to other sensitive exports (like AGENT_WALLET_PASSWORD) where it will cause hard-to-debug failures.

Recommendation: Change to single quotes for consistency and to avoid teaching incorrect muscle memory:

export TRON_PRIVATE_KEY='your_real_or_testnet_private_key'

Remove the "Don't forget the double quotes!" callout or replace it with a note about single quotes being the safe convention for credential exports.

Finding 2 — `workflow_dispatch` Comment Is Slightly Misleading (Minor)

File: .github/workflows/docker.yml
Severity: Minor
Category: Documentation / Code Quality

Code evidence:

workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

Problem: workflow_dispatch always allows manual builds from any branch by design in GitHub Actions; no configuration is needed to achieve this. The comment implies this was an intentional explicit choice that required action, but it is simply the default behaviour. A reader may conclude this was a deliberate security consideration when it was not.

Recommendation: Either remove the comment or rephrase it to be accurate, e.g.:

workflow_dispatch: # Manual trigger — runs on the branch selected at dispatch time (GitHub default behaviour)

Finding 3 — Step Numbering Gap in `SUNMCPServer/LocalPrivatizedDeployment.md` (Minor)

File: docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md
Severity: Minor
Category: Documentation / Maintainability

Problem: The PR renames "Step 3: Client Configuration" to "Step 3: Server Running Methods" and adds a new "Step 4: Client Configuration," but the step following that is labeled "Step 5: Verify Connection" — a number that existed in the old file but now appears orphaned after the reorganisation. The section sequence reads: Step 1, Step 2, Step 3, Step 4, Step 5 — but based on the diff the intermediate renaming left Step 5 intact while the total number of logical steps decreased from five to five with different content. By contrast, the parallel TRONMCPServer/LocalPrivatizedDeployment.md correctly renumbers its verification step to "Step 4" after removing the old Step 4. The SUN file is inconsistent with its TRON counterpart.

Recommendation: Verify the final step numbering in SUNMCPServer/LocalPrivatizedDeployment.md matches the TRON counterpart; if the client configuration step was removed from the SUN file as well, the verify step should be renumbered to Step 4.

Finding 4 — Broken Relative Link in `TRONMCPServer/FAQ.md` (Minor)

File: docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md
Severity: Minor
Category: Documentation / Correctness

Code evidence (added line):

If the password is lost, you'll need to re-initialize. **Warning: this wipes all wallets and keys — ensure funds are moved or mnemonics backed up before proceeding.** Run `agent-wallet reset` to wipe and start over — see [CLI Reference → Reset](../../../Agent-Wallet/Developer/CLI-Reference#agent-wallet-reset-reset-all-data) and [Agent-Wallet FAQ](../../../Agent-Wallet/FAQ) for details.

Problem: The anchor fragment #agent-wallet-reset-reset-all-data uses a heading slug derived from ### agent-wallet reset (Reset All Data). The actual heading in CLI-Reference.md is ### \agent-wallet reset` (Reset All Data). Docusaurus generates anchor IDs by stripping backticks, so the resulting slug is agent-wallet-reset-reset-all-data`. This is likely correct, but the fragment format should be verified against actual Docusaurus output. If the generated anchor does not match, users will land at the top of the page with no visual indication of failure.

Recommendation: Test the anchor link in the Docusaurus development server. If it fails, use the Docusaurus-generated ID (which can be inspected in the rendered HTML) or use a heading without inline code to make the slug predictable.

Finding 5 — Openclaw QuickStart Uses Mac-Only Instructions Without OS Branching (Minor)

File: docs/Openclaw-extension/QuickStart.md
Severity: Minor
Category: Documentation / Correctness

Code evidence:

- **Mac:** Press `Command + Space`, type `Terminal` in the search box, and hit Enter.

And later, in the API Keys section:

open -e ~/.zshrc

Problem: The page no longer has OS-specific tabs (the original had a tab for Linux, the new version does not). The instruction to open a terminal using Command + Space is Mac-only, and open -e ~/.zshrc is a macOS-only command that will not work on Linux. Linux users following this page will be stuck at the first step. The old page supported Linux via its separate tab structure.

Recommendation: Either restore OS-specific tabs for the sensitive steps, add a note that the page currently targets macOS users only, or replace Mac-specific commands with cross-platform equivalents (e.g., nano ~/.zshrc works on both macOS and Linux).

Suggestion 1 — `AGENT_WALLET_DIR` Uses `$HOME` in One Place, `~` in Another

File: docs/Agent-Wallet/Developer/CLI-Reference.md vs docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md
Severity: Suggestion
Category: Code Quality / Consistency

The LocalPrivatizedDeployment.md files were correctly updated to use $HOME/.agent-wallet instead of ~/.agent-wallet in the AGENT_WALLET_DIR export (since ~ is not expanded inside double quotes). However, the new CLI-Reference.md uses --dir /Volumes/MyUSB/agent-wallet only for an external USB example and does not demonstrate the AGENT_WALLET_DIR env var directly. Ensure any new content that demonstrates AGENT_WALLET_DIR consistently uses $HOME or an absolute path, not ~.

Suggestion 2 — Commit Message Quality

Severity: Suggestion
Category: Maintainability

A large number of commits (>15) are titled "fix" or single-word variations ("fiix", "fxi", "fix audio issues", "fix new major audio issues"). These provide no searchable context for future git log archaeology. Future contributions would benefit from conventional commits or at minimum a brief subject describing what was fixed.

Suggestion 3 — `npx add-mcp` Is Not a Universally Available Tool

Files: docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md, SUNMCPServer/QuickStart.md, both OfficialServerAccess.md files, SKILLS/QuickStart.md
Severity: Suggestion
Category: Documentation / Correctness

The PR replaces all client-specific configuration instructions with a single npx add-mcp <url> or npx skills add <repo> command. As of the review date npx add-mcp is not a standard npm package; it appears to be the @modelcontextprotocol/add-mcp CLI or a similar third-party installer. If this package is not yet widely known or published, users without an understanding of MCP tooling will get an error. The documentation does not explain what this tool is or link to its own documentation. Consider adding a brief note such as: "add-mcp is an MCP installer utility — run it directly with npx and it will download automatically."

Suggestion 4 — Removed Concrete Configuration Examples May Hurt Power Users

Files: Multiple LocalPrivatizedDeployment.md and OfficialServerAccess.md files
Severity: Suggestion
Category: Documentation / Maintainability

The PR removes all per-client JSON configuration snippets (Claude Desktop, Cursor, Claude Code) in favour of generic npx add-mcp instructions and vague "refer to your client's documentation" notes. While this makes the docs easier to maintain, it significantly reduces the utility of the docs for users who prefer manual configuration, use Claude Desktop (which requires JSON config), or are in environments where npx add-mcp is unavailable. Consider providing a link to a "Manual Configuration" supplemental page or retaining the JSON examples in a collapsible <details> block.

Suggestion 5 — `SKILLS/Intro.md` Emoji Usage May Not Render in All Contexts

File: docs/McpServer-Skills/SKILLS/Intro.md
Severity: Suggestion
Category: Documentation / Accessibility

The new Intro.md makes heavy use of emoji (🌟, 🎬, 🛡️, 💱, 📈, etc.) as structural indicators. This pattern is inconsistent with other documentation pages in the repository and may not render correctly in all CI systems, screen readers, or plain-text representations of the docs. Consider limiting emoji to decorative uses where they do not carry structural meaning that could be lost if they fail to render.

Positive Observations

Security improvement in CI: The removal of the "Debug Docker Hub secrets" step that echoed username=[$DOCKERHUB_USERNAME] and token_length=... to the CI log eliminates a potential secrets exposure vector in the build log. This is a direct and meaningful security fix.
Consistent single-quote shell guidance: Throughout the new Agent-Wallet documentation (QuickStart.md, CLI-Reference.md, SDK-Cookbook.md, FAQ.md), every shell export of a sensitive value uses single quotes with explicit callouts explaining why. This is security-correct and educationally valuable. The earlier commit 26ff9f5 ("fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal") also demonstrates active attention to security documentation quality.
$HOME over ~ in env var exports: The updated LocalPrivatizedDeployment.md files correctly changed export AGENT_WALLET_DIR="~/.agent-wallet" to export AGENT_WALLET_DIR="$HOME/.agent-wallet". This is technically correct — ~ is only expanded by the shell when unquoted, whereas $HOME is always expanded inside double-quoted strings.
Agent-Wallet dual-lock security model is clearly explained: The Intro.md for Agent-Wallet provides an accurate and understandable description of why separating the encrypted keystore file from the unlock password provides meaningful defense-in-depth over plaintext key storage. The threat model section ("This Isn't Hypothetical — It's Already Happening") grounds the advice in real attack scenarios.
Removal of agent-wallet init command reference: The updated TRONMCPServer/FAQ.md correctly replaces references to agent-wallet init with agent-wallet start and agent-wallet reset, which appear to be the accurate current CLI commands based on the new CLI Reference documentation.
Sidebar navigation is complete: The new Agent-Wallet section is fully wired into sidebars.js with correct nesting (Intro, QuickStart, a collapsed Developer sub-category, and FAQ), matching the structure of other top-level documentation sections.
SDK Cookbook provides runnable, end-to-end examples: The new SDK-Cookbook.md includes complete TypeScript and Python examples with address-mismatch validation, signature field verification, and explicit error handling — a quality level above typical documentation examples.

Checklist Results

Category	Status	Notes
Correctness & Logic	Pass (with minor issues)	Step numbering gap in SUNMCPServer LocalPrivatizedDeployment; potential broken anchor fragment
Security	Pass (with major issue)	Double-quoted `TRON_PRIVATE_KEY` export contradicts single-quote guidance; CI debug secrets step correctly removed
Performance	N/A	Documentation-only changes; no runtime code changed
Code Quality	Pass (with suggestions)	Commit messages are poor; emoji-heavy content inconsistent with other docs
Testing	N/A	No automated tests for documentation content; build/render verification is the applicable test
Documentation & Maintainability	Pass (with suggestions)	New Agent-Wallet section is thorough; removal of per-client configs reduces maintainability for manual users

Disclaimer

This is an automated code review generated by AI Code Reviewer. While this review aims to be thorough and accurate, it may miss context-specific issues or incorrectly flag items due to limited understanding of project-specific conventions. All findings should be reviewed by a human developer before action is taken. This review covers only the diff between main and update-mcp-server — unchanged code was not audited.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-24

github-actions · 2026-03-24T08:23:37Z

Code Review Report

Project: BofAI Docs (@x402-tron/docs)
PR: main -> update-mcp-server
Review Date: 2026-03-24
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	43
Files Changed	54
Lines Added	+5,608
Lines Removed	-2,930

Commit History (Recent)

Hash	Message
`533abed`	skills quickstart — Double Quotes to Single Quotes
`b9fb0cc`	update setup process
`4c3b71b`	fix
`65940fe`	add restart AI agent
`6b6423b`	delete tron mcp server trongrid
`249c43b`	Update Official Cloud Service MCP Usage Steps
`b6621a6`	update skill and setup way
`590e69e`	update skills
`5ecdb8c`	update agent wallet
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD instructs users to print password to terminal
`bafd81b`	fix audit suggestion
`e88dbfc`	update agent-wallet

Review Summary

Verdict

Verdict: Request Changes

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	3	4	3

Summary

This PR introduces a new Agent Wallet documentation section (6 new files covering an intro, quick start, FAQ, CLI reference, SDK guide, and SDK cookbook), substantially rewrites the MCP Server (TRON and SUN) and SKILLS documentation, and simplifies the Openclaw extension guide. The overarching intent is to adopt a unified npx add-mcp / npx skills add installation flow that is client-agnostic and friendlier for beginners, while retiring the previous client-specific tab-based configuration examples. Several important security improvements are included: a debug CI step that echoed Docker Hub credentials is removed; all export statements for sensitive env vars are corrected from double-quotes to single-quotes; and a dangerous echo $AGENT_WALLET_PASSWORD instruction is replaced with a non-revealing check.

However, three major issues require attention before merge. First, the LocalPrivatizedDeployment.md refactor leaves the client-configuration section in an incomplete, non-actionable state — the old per-client JSON configs were removed but not replaced with equivalent guidance. Second, both npx add-mcp (now the primary install path for MCP servers) and npx skills add run unversioned third-party npm packages that could carry supply chain risk; none of the new documentation mentions this or advises pinning a version. Third, BANKOFAISkill.md still lists "paste your private key directly into your system config file" as Option 2 for credential setup — inconsistent with the security principles championed everywhere else in this PR.

Change Summary

1. CI/CD Workflow Update (`.github/workflows/docker.yml`)

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Branch trigger renamed, debug step removed, comment added to `workflow_dispatch`

Purpose: Aligns the Docker build trigger to the new update-mcp-server branch and removes a debug step that surfaced Docker Hub credential metadata in CI logs.

2. New Agent Wallet Documentation (6 new files)

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Concept introduction — threat model, dual-lock mechanism, comparison table
`docs/Agent-Wallet/QuickStart.md`	Added	End-to-end walkthrough: install, create wallet, configure env var, restart
`docs/Agent-Wallet/FAQ.md`	Added	Three top concerns + everyday use, wallet types, security, install FAQ
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Complete CLI command reference
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript and Python SDK walkthrough with two operating modes
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end runnable scripts for TRON transfer, BSC transfer, x402 payment

Purpose: Provides authoritative documentation for the Agent Wallet product across beginner (Intro, QuickStart, FAQ) and developer (CLI, SDK Guide, SDK Cookbook) audiences.

3. MCP Server Docs Simplified — TRON & SUN

File	Change Type	Description
`docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md`	Modified	Replaced per-client tab configs with `npx add-mcp` walkthrough
`docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md`	Modified	Same simplification
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Removed Step 4 per-client config examples; replaced with vague "Configuration Notes"
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Made client-agnostic; condensed wallet troubleshooting; links to Agent-Wallet docs
`docs/McpServer-Skills/MCP/TRONMCPServer/Intro.md`	Modified	Minor wording
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Minor wording
`docs/McpServer-Skills/MCP/SUNMCPServer/OfficialServerAccess.md`	Modified	Same `npx add-mcp` simplification
`docs/McpServer-Skills/MCP/SUNMCPServer/QuickStart.md`	Modified	Same simplification
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Similar condensation
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Client-agnostic; better password-check idiom; links to CLI Reference
`docs/McpServer-Skills/MCP/Intro.md`	Modified	Minor wording

Purpose: Move away from tool-specific instructions (Claude Desktop / Claude Code / Cursor tabs) toward a single npx add-mcp <url> command that works across any compatible MCP client.

4. SKILLS Documentation Rework

File	Change Type	Description
`docs/McpServer-Skills/SKILLS/QuickStart.md`	Added	New file: `npx skills add` installation walkthrough
`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md`	Modified	Renamed to "Skill Catalog"; replaced installation instructions with prompt examples
`docs/McpServer-Skills/SKILLS/Intro.md`	Modified	Rewording
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Rewording

Purpose: Simplify skill installation to a single npx skills add command and focus the catalog page on prompts users can copy-paste.

5. Openclaw Extension Docs Rewrites

File	Change Type	Description
`docs/Openclaw-extension/QuickStart.md`	Modified	Full rewrite; gamified tone, step-by-step wizard walkthrough
`docs/Openclaw-extension/FAQ.md`	Modified	Condensed; plain-English troubleshooting
`docs/Openclaw-extension/Intro.md`	Modified	Updated

Purpose: Lower the barrier for first-time users by reframing technical steps as a "mini-game with 4 levels."

6. Navigation & Package

File	Change Type	Description
`sidebars.js`	Modified	Added Agent Wallet category; added SKILLS QuickStart entry
`package.json`	Modified	Version bump `1.2.3` → `1.2.4`
`i18n/` (multiple)	Modified	Mirror of all English doc changes above

Detailed Findings

Major

[MJ-01] `LocalPrivatizedDeployment.md` — Step 4 Client Configuration Removed Without Replacement

Property	Value
Severity	Major
Category	Documentation / Correctness
File	`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md` : Lines ~155–185 (new)

Description

The diff removes the entire "Step 4: Client Configuration" section — which contained complete, working JSON/CLI examples for Claude Desktop, Claude Code, and Cursor (Options A–C) — and replaces it with two vague bullet points under "Configuration Notes." The replacement text does not show what the JSON should look like, does not reference the correct config file paths, and does not address the env block needed when system env vars are not inherited. The step count also decrements silently (Step 5 "Verify Connection" becomes Step 4), which could confuse users following numbered steps.

The SUN MCP Server equivalent (SUNMCPServer/LocalPrivatizedDeployment.md) has the same problem.

Code (removed — what was there before)

// Claude Desktop — claude_desktop_config.json
{
  "mcpServers": {
    "mcp-server-tron": {
      "command": "npx",
      "args": ["-y", "@bankofai/mcp-server-tron"],
      "env": {
        "AGENT_WALLET_PASSWORD": "YOUR_PASSWORD (Or set in system env)",
        "TRONGRID_API_KEY":      "YOUR_KEY_HERE (Or set in system env)"
      }
    }
  }
}

Code (what replaced it)

#### Configuration Notes

If you're configuring an MCP client to point to your local server:

- **If running via npx or source**: Use the appropriate command in your MCP client's
  configuration (e.g., `command: npx` with `args: ["-y", "@bankofai/mcp-server-tron"]`)
- **If running in HTTP mode**: Point your client to `http://localhost:3001/mcp` via
  the HTTP URL configuration option

Recommendation

Restore concrete JSON examples (or link to a dedicated "Client Configuration" reference page). At minimum, show the Claude Desktop / Claude Code / Cursor configs that were there before, or clearly direct users to a page that contains them. The env section note (which warned about not committing secrets to version control) should also be retained.

[MJ-02] `npx add-mcp` and `npx skills add` Execute Unversioned Remote Packages — Supply Chain Risk Not Disclosed

Property	Value
Severity	Major
Category	Security
File	`docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md`, `docs/McpServer-Skills/MCP/SUNMCPServer/OfficialServerAccess.md`, `docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md`, `docs/McpServer-Skills/MCP/SUNMCPServer/QuickStart.md`, `docs/McpServer-Skills/SKILLS/QuickStart.md`

Description

All new installation flows instruct users to run:
npx add-mcp https://tron-mcp-server.bankofai.io/mcp
npx skills add https://github.com/BofAI/skills
npx (without a pinned version) downloads and executes the latest published package from npm at the time of the command. If add-mcp or skills is compromised — by a typosquatting attack, a hijacked npm account, or a malicious dependency update — users will silently execute attacker-controlled code in their local shell. This risk is multiplied by the fact that these docs encourage users to "tell your AI Agent to execute the following command," meaning an AI model may be the one running the command, with no human review of what is being fetched.

No new documentation in this PR mentions the supply chain risk or advises pinning a specific version.

Code

# Appears in every new QuickStart and OfficialServerAccess page:
npx add-mcp https://tron-mcp-server.bankofai.io/mcp
npx skills add https://github.com/BofAI/skills

Recommendation

Pin a specific npm package version in the npx invocations (e.g., npx add-mcp@1.2.3 ...) or document which package owns the add-mcp and skills bin aliases.
Add a brief security note alongside each command explaining that it downloads and executes code from npm. Link to the package's npm page / GitHub repo for transparency.
Alternatively, provide the manual configuration alternative (JSON snippet) as a fallback for security-sensitive users — the same information that was removed in MJ-01.

[MJ-03] `BANKOFAISkill.md` — "Paste Private Key Directly" Listed as a Valid Option

Property	Value
Severity	Major
Category	Security / Documentation
File	`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md` : Lines ~40–50 (new content)

Description

Under "Where Do I Get These Keys? How Do I Set Them Up?", the new revision presents two credential-setup options for wallet credentials:

Option 1 (Recommended): Use Agent Wallet — private key encrypted and never exposed.

Option 2: Paste your private key directly into your system config file (the "notepad method").

Option 2 directly contradicts the security model Agent Wallet is designed to prevent, and contradicts the :::danger blocks in Agent-Wallet/Intro.md, Agent-Wallet/QuickStart.md, and Agent-Wallet/Developer/SDK-Guide.md. Labeling it "great for power users or quick testing" normalises unsafe key management. A user who reads only the Skill Catalog page and misses the Agent Wallet intro will have no indication that Option 2 is dangerous on anything but a throw-away key.

Code

- **Option 2:** Paste your private key directly into your system config file
  (the "notepad method") — great for power users or quick testing.

Recommendation

Either remove Option 2 entirely from this page and redirect all users to the Agent Wallet QuickStart, or reframe it with an explicit :::danger admonition (consistent with every other place in the docs where plaintext private key usage is discussed) and restrict it to "fully isolated testnet keys only."

Minor

[MN-01] `TRONMCPServer/FAQ.md` — Concrete Multi-Server JSON Example Removed Without Replacement

Property	Value
Severity	Minor
Category	Documentation
File	`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md` : "Can I use multiple TRON MCP Servers simultaneously?"

Description

The previous answer included a concrete working JSON snippet showing how to define two named MCP server entries simultaneously (mainnet cloud + local testnet). The new answer replaces it with: "Configure both servers with different names in your client's MCP configuration." Without the JSON example, users have no actionable guidance on the correct structure for multi-server configuration.

Recommendation

Restore the JSON example (or a condensed version of it), or link to a dedicated configuration reference that shows the structure. A concrete example is especially valuable in an FAQ.

[MN-02] `Agent-Wallet/QuickStart.md` — No Windows Tab or Unsupported-OS Notice

Property	Value
Severity	Minor
Category	Documentation
File	`docs/Agent-Wallet/QuickStart.md` : Step 2.1

Description

Step 2.1 "Save and Activate the Password" offers two tabs: "Mac Users (Zsh)" and "Linux Users." The Agent Wallet FAQ (same PR) states Windows is not supported. A Windows user landing on this QuickStart will see no guidance for their OS and receive no explanation of why.

Recommendation

Add a third tab "Windows Users" whose content simply states that Windows is not currently supported and directs users to the FAQ (which has the same information). This prevents user confusion and sets accurate expectations early in the flow.

[MN-03] `SUNMCPServer/FAQ.md` — Double-Quote Inconsistency for `TRON_MNEMONIC`

Property	Value
Severity	Minor
Category	Security / Correctness
File	`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md` : Lines ~148–168

Description

The PR comprehensively converts " → ' for export statements involving sensitive env vars (AGENT_WALLET_PASSWORD, TRON_PRIVATE_KEY, TRON_MNEMONIC). However, in the "Conflicting Wallet Modes" section, TRON_MNEMONIC is fixed to single quotes (✅), but in the same block TRON_PRIVATE_KEY is also fixed (✅). Cross-checking the TRONMCPServer/FAQ.md equivalent block, the mnemonic fix is correct there too. The fix appears complete in the docs that were changed — this is a note to verify the i18n mirror files received the same treatment consistently (they are mirrored in the diff but worth confirming during QA).

Recommendation

Verify all i18n mirror files under i18n/current/ have the same single-quote fix applied. Consider adding a CI lint rule (e.g., a grep check) to flag export VARIABLE=" patterns in documentation, since this class of error has appeared multiple times across commits.

[MN-04] `TRONMCPServer/LocalPrivatizedDeployment.md` — Step Numbering Gap

Property	Value
Severity	Minor
Category	Documentation
File	`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`

Description

With Step 4 "Client Configuration" removed, the document now has Steps 1, 2, 3 (Installation), then jumps directly to "Step 4: Verify Connection" (previously Step 5). The verify step was renumbered correctly but the gap (the missing client configuration step) may confuse readers who have bookmarked, followed tutorials, or watched videos referencing the old five-step flow.

Recommendation

Either restore Step 4 content (see MJ-01) or add a brief bridging note explaining that client-specific configuration has moved to a central reference, keeping the prose coherent.

Suggestions

[S-01] `docker.yml` — `workflow_dispatch` Comment Wording

File: .github/workflows/docker.yml

Description: The new comment # Intentionally unrestricted — allows manual builds from any branch for flexibility is accurate but slightly informal for a CI file. This is subjective but can be tightened.

Suggestion: # Unrestricted: allows manual workflow triggers from any branch.

[S-02] Agent Wallet SDK Cookbook — `fromAddress` Hardcoded Placeholder

File: docs/Agent-Wallet/Developer/SDK-Cookbook.md

Description: The TypeScript TRON transfer example uses the string "YOUR_TRON_ADDRESS" as a placeholder for fromAddress and then validates it against wallet.getAddress(). If a user runs the example without substituting the placeholder, the validation will always fail with a confusing error message about address mismatch rather than a clear "you forgot to replace the placeholder" message.

Suggestion: Add a guard at the top of the example that detects the placeholder and throws a helpful error, e.g.:

if (fromAddress === "YOUR_TRON_ADDRESS") {
  throw new Error("Replace 'YOUR_TRON_ADDRESS' with your actual TRON wallet address before running.");
}

[S-03] SKILLS `QuickStart.md` — Security Assessment Table Uses Vendor-Opaque Column Headers

File: docs/McpServer-Skills/SKILLS/QuickStart.md

Description: The installation walkthrough shows a security scan table with columns Gen, Socket, and Snyk. These are vendor names/brand abbreviations that end-users unfamiliar with npm security tooling will not recognise. The x402-payment row shows Med and 1 alert which users are instructed to approve without understanding.

Suggestion: Add a brief legend below the table explaining what each column represents and what Med / 1 alert mean (severity level, what kind of vulnerability triggered the flag), so users can make an informed decision before selecting Yes.

Positive Observations

Area	Observation
CI Security	Removed the `Debug Docker Hub secrets` step that echoed `$DOCKERHUB_USERNAME` and token length into CI logs — a genuine security improvement that removes information leakage from workflow runs.
Env Var Quoting (Systematic)	A dedicated commit (`533abed`) systematically converts all `export VAR="value"` to `export VAR='value'` for passwords and private keys across ~10 files. This prevents shell expansion from silently corrupting special-character passwords — a subtle but real footgun.
Non-Revealing Password Check	Replaced `echo $AGENT_WALLET_PASSWORD` (which would print the password in plain text to the terminal) with `[[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set"
Agent Wallet Documentation Quality	The six new Agent-Wallet files are thorough and well-structured. The threat model in `Intro.md` is compelling and accurate. `SDK-Guide.md` clearly delineates "core" vs. "fallback" operating modes with appropriate :::danger admonitions. `SDK-Cookbook.md` provides complete, runnable end-to-end examples with realistic error handling (signature field check, `txID` validation).
Client-Agnostic Language	Replacing "Claude Desktop" / "Claude Code" / "Cursor" specific references with generic "MCP client" / "AI Agent" terminology in FAQ troubleshooting steps is a good abstraction that extends the docs' useful life across the evolving MCP ecosystem.
`agent-wallet reset` Warning	Both TRON and SUN MCP FAQs now include an explicit warning that `agent-wallet reset` wipes all wallets and keys, with a prompt to back up mnemonics before proceeding — a meaningful safety improvement over the old `rm -rf ~/.agent-wallet/` raw instruction.
Security Warnings Consistency	The Agent Wallet documentation consistently applies :::caution for the env-var quoting pitfall, :::danger for static injection mode / `raw_secret` wallet type, and plain prose callouts elsewhere. The severity scale is appropriate and used consistently.

Checklist Results

Category	Items Checked	Pass	Fail	Notes
Correctness	5	4	1	Step numbering gap in LocalPrivatizedDeployment
Security	8	5	3	npx supply chain, plaintext key as Option 2, single-quote audit of i18n
Performance	3	3	0	No performance-sensitive code changed
Code Quality	6	5	1	Removed content not replaced (MJ-01)
Testing	4	4	0	Docs repo — no functional tests required
Documentation	8	6	2	MJ-01 (incomplete config section), MN-01 (missing JSON example)
Compatibility	3	2	1	Windows unsupported but not surfaced in QuickStart (MN-02)
Observability	2	2	0	CI debug step removed; no new observability gaps

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between main and update-mcp-server. Runtime behavior, integration testing, and deployment impact are not covered. All line number references are approximate relative to the diffed content.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-24

github-actions · 2026-03-24T10:13:54Z

Code Review Report

Project: BofAI Docs (x402-tron documentation site)
PR: main -> update-mcp-server
Review Date: 2026-03-24
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`main`
To Branch	`update-mcp-server`
Commits	47
Files Changed	54
Lines Added	+5686
Lines Removed	-2904

Commit History

Hash	Message
`88515e5`	add setup mode
`533abed`	skills quickstart Double Quotes to Single Quotes
`b9fb0cc`	update setup process
`4c3b71b`	fix
`65940fe`	add restart ai agnet
`6b6423b`	delete tron mcp server trongrid
`249c43b`	Update Official Cloud Service MCP Usage Steps
`7fedc2e`	delete permanently
`b6621a6`	update skill and setup way
`590e69e`	update skills
`2248698`	update skill intro
`6295071`	update skill intro
`11c00b5`	update skills
`5ecdb8c`	update agent wallet
`b1e80c3`	update skills docs
`b6e023f`	workflow add update-mcp-server
`a5b2e70`	highlight agent wallet
`1ec9118`	fix
`4dff899`	fix new major audio issues
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal
`b92448f`	fix audio new issues
`ee9c759`	fix audio issues
`5e9152b`	fix audio report issue
`bafd81b`	fix audit suggestion
`b8ea082`	fix
`cf49298`	fix
`b1bfecd`	update
`bc4a8f0`	fix
`e88dbfc`	update agent-wallet
`a956313`	update
`57d7156`	Create audit-pr.yml
`6728342`	update
`1ebd798`	Merge branch 'main' into update-mcp-server
`822bdae`	fix
`224d32d`	fiix
`3b87508`	fix
`824c0d7`	fix
`17c1057`	fix
`47b8030`	fxi
`7fe32d7`	Merge pull request #28 from BofAI/ai-bankofai-patch-1
`2e02cab`	fix
`5dfcb8a`	fix
`a541e97`	fix
`956060e`	fix
`e5f417e`	fix
`fb1737f`	Merge pull request #26 from BofAI/ai-bankofai-patch-1
`24cf00e`	fix

Review Summary

Verdict

Verdict: Comment

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	3	5	6

Summary

This PR is primarily a documentation update adding a comprehensive new Agent Wallet section (Intro, QuickStart, FAQ, CLI Reference, SDK Guide, and SDK Cookbook) and revising the MCP Server and Skills documentation to be client-agnostic (replacing "Claude Desktop" references with generic "MCP client" terminology). The PR also removes a credentials-leaking debug step from the CI workflow and improves security messaging throughout the docs. The code changes are purely documentation and configuration (sidebars, workflow YAML, package.json version bump) — there is no application logic being changed.

The most significant security concern is that the workflow_dispatch trigger now has a comment describing it as "intentionally unrestricted," which is accurate but may surprise reviewers: it means anyone with write access to the repository can manually trigger Docker builds from any branch and push to Docker Hub. This is a deliberate design choice but should be explicitly acknowledged by the team. Additionally, three documentation-level issues were identified relating to misleading security guidance, an unexplained environment variable expansion quirk, and inconsistent cross-link anchors.

The newly added Agent Wallet documentation is detailed, well-structured, and demonstrates strong security awareness — it consistently warns users about private-key exposure risks, recommends encrypted storage over plaintext environment variables, and provides clear operational guidance. The documentation improvements across the MCP server sections remove Claude Desktop-specific configuration examples, replacing them with a generic npx add-mcp installation pattern, which improves portability but removes explicit per-client JSON configuration examples that were previously very helpful.

Change Summary

CI/CD Workflow Update

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Replaced branch `ai-bankofai-patch-1` with `update-mcp-server` in push/PR triggers; removed debug step that printed Docker Hub credentials; added `workflow_dispatch` comment

Purpose: Align the Docker build workflow with the new working branch and remove a security anti-pattern (echoing credentials in CI logs).

New Agent Wallet Documentation

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Full introduction to Agent Wallet concept, security model, and architecture
`docs/Agent-Wallet/QuickStart.md`	Added	Step-by-step setup guide for non-developers
`docs/Agent-Wallet/FAQ.md`	Added	Common questions covering security, offline use, password recovery, wallet types
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Complete CLI command reference
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	TypeScript and Python SDK usage guide with code examples
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end runnable examples: TRON transfer, EVM/BSC transfer, x402 payment signing
`i18n/zh-Hans/docusaurus-plugin-content-docs/current/Agent-Wallet/` (6 files)	Added	Chinese translations of all new Agent Wallet docs

Purpose: Introduce a new documentation section for the Agent Wallet product, covering all user types from beginners to SDK developers.

MCP Server and Skills Documentation Revisions

File	Change Type	Description
`docs/McpServer-Skills/MCP/Intro.md`	Modified	Removed "Claude Code or Claude Desktop" specificity from MCP Host definition
`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md`	Modified	Replaced Claude Desktop references with generic MCP client terminology; fixed security anti-patterns (now uses `[[ -n "$VAR" ]]` instead of `echo $VAR`); switched double quotes to single quotes for env vars
`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`	Modified	Removed Tabs import; simplified configuration to generic approaches; updated env var quoting; updated Agent Wallet doc link
`docs/McpServer-Skills/MCP/SUNMCPServer/OfficialServerAccess.md`	Modified	Removed Tabs/TabItem imports; replaced multi-client JSON config examples with generic `npx add-mcp` installer flow
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Replaced Claude Desktop references with generic MCP client; simplified troubleshooting steps
`docs/McpServer-Skills/MCP/TRONMCPServer/Intro.md`	Modified	Removed Claude Desktop specificity from user description and security note
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Removed Tabs import; simplified config examples to generic npx/source approaches
`docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md`	Modified	Replaced per-client JSON config tabs with `npx add-mcp` installer walkthrough
`docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md`	Modified	Updated client references to be generic
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Minor reference updates
`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md`	Modified	Major content restructure: simplified installation instructions, rewrote skill catalog with user-friendly framing
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Significant rewrite: conversational tone, simpler troubleshooting, removed complex shell commands
`docs/McpServer-Skills/SKILLS/Intro.md`	Modified	Restructured from technical explanation to user benefit framing
`docs/McpServer-Skills/SKILLS/QuickStart.md`	Added	New quick start guide for SKILLS installation using `npx skills add`
`docs/Openclaw-extension/FAQ.md`	Modified	Major simplification: removed complex shell commands, adopted user-friendly tone
`docs/Openclaw-extension/Intro.md`	Modified	Updated to reflect Agent Wallet integration
`docs/Openclaw-extension/QuickStart.md`	Modified	Rewritten with gamified level-by-level framing; updated to use new installer flow
`i18n/zh-Hans/...` (Chinese translations of all the above)	Modified/Added	Mirror of all English content changes

Purpose: Make documentation client-agnostic (not locked to Claude Desktop), simplify user-facing language, and align MCP installation guidance to use the new npx add-mcp and npx skills add universal installer tools.

Sidebar and Configuration

File	Change Type	Description
`sidebars.js`	Modified	Added new `Agent Wallet` category with Intro, QuickStart, Explore Further (CLI, SDK Guide, SDK Cookbook), and FAQ; added `SKILLS/QuickStart` entry
`i18n/zh-Hans/.../sidebars.js`	Modified	Added Agent Wallet category in Chinese sidebar with translated "进一步探索" label
`i18n/zh-Hans/.../current.json`	Modified	Added `sidebar.docsSidebar.category.Explore Further` translation key
`package.json`	Modified	Version bump from `1.2.3` to `1.2.4`

Purpose: Wire the new Agent Wallet documentation into the site navigation and bump the package version.

Detailed Findings

[MJ-01] `workflow_dispatch` Allows Pushing to Docker Hub from Any Branch Without Review

Property	Value
Severity	Major
Category	Security
File	`.github/workflows/docker.yml` : Line 12

Description

The workflow_dispatch trigger, now annotated as "intentionally unrestricted," combined with push: ${{ github.event_name != 'pull_request' }}, means any user with write access to the repository can manually trigger this workflow from any arbitrary branch and push the resulting image to Docker Hub under the bankofai/docs:test tag. The comment in the diff says this is intentional for "flexibility," but it creates a risk: a compromised or careless contributor could publish a modified Docker image without a PR review.

Code

  workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

Recommendation
Consider adding a branch restriction to workflow_dispatch or, at minimum, document this risk in a team runbook. If unrestricted dispatch is truly desired, consider removing the push: true step for manual dispatches or requiring a specific input parameter confirming intent:

  workflow_dispatch:
    inputs:
      confirm_push:
        description: 'Type "push" to confirm pushing to Docker Hub'
        required: true

[MJ-02] SDK Cookbook Contains Hardcoded Mainnet API URL with No Rate-Limit or Auth Warning

Property	Value
Severity	Major
Category	Correctness / Docs
File	`docs/Agent-Wallet/Developer/SDK-Cookbook.md` : Lines 55-57

Description

The TRON Transfer example hardcodes https://nile.trongrid.io as a code constant with a comment saying "change to https://api.trongrid.io for mainnet." The mainnet endpoint requires a TronGrid API key for production use (rate limit is 100k/day without one). The cookbook provides no guidance on injecting the API key, nor does it note that the mainnet endpoint will throttle unauthenticated requests. Users copying this directly into production will silently encounter 429 errors at scale.

Code

const TRONGRID_API = "https://nile.trongrid.io"; // Nile testnet; change to https://api.trongrid.io for mainnet

Recommendation
Add a note or environment variable pattern for the API key, and reference the TronGrid API key documentation:

const TRONGRID_API = process.env.TRONGRID_API || "https://nile.trongrid.io";
// For mainnet: use https://api.trongrid.io
// Add TRONGRID-API-KEY header if you have a TronGrid API key (strongly recommended for production)

Or add a caution admonition in the surrounding Markdown explaining the rate-limit situation for mainnet.

[MJ-03] Removal of Client-Specific JSON Configuration Examples Reduces Discoverability

Property	Value
Severity	Major
Category	Docs
File	`docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md`, `docs/McpServer-Skills/MCP/SUNMCPServer/OfficialServerAccess.md`, `docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`, `docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md`

Description

Multiple files previously contained detailed, per-client (Claude Desktop, Claude Code, Cursor, Generic HTTP) JSON configuration examples in tabbed format. This PR removes all of them, replacing them with a single npx add-mcp or npx skills add command flow. While the new installer approach is simpler for supported clients, it gives users no fallback when the add-mcp tool does not support their client or they need to configure manually. The removal of the Claude Code claude mcp add ... command and the .mcp.json / .cursor/mcp.json examples is a notable regression for power users and developers who need precise control.

Code

-<Tabs>
-<TabItem value="Claude Desktop" label="Claude Desktop">
-...explicit JSON config examples...
-</TabItem>
-<TabItem value="Claude Code" label="Claude Code">
-  claude mcp add --transport http mcp-server-tron https://tron-mcp-server.bankofai.io/mcp
-</TabItem>

Recommendation
Retain the per-client manual configuration as a collapsible <details> section or an "Advanced / Manual Configuration" subsection so that: (a) the happy path remains simple via npx add-mcp, and (b) users on unsupported clients or those needing manual control still have authoritative reference material.

[MN-01] `AGENT_WALLET_DIR` Set with Unexpanded Tilde in Environment Variable

Property	Value
Severity	Minor
Category	Correctness / Docs
File	`docs/McpServer-Skills/MCP/SUNMCPServer/LocalPrivatizedDeployment.md` : Line 80

Description

The diff changes the AGENT_WALLET_DIR example from "~/.agent-wallet" (which does not expand in all contexts when used as an env var value set via export) to "$HOME/.agent-wallet". This is a correct improvement. However, the fix is applied inconsistently — some files in the PR still show the old "~/.agent-wallet" form in export statements. For example, in docs/Agent-Wallet/Developer/CLI-Reference.md, --dir /Volumes/MyUSB/agent-wallet is used (fine), but earlier examples in other new docs still show ~/.agent-wallet as a hard path in comments rather than with $HOME.

Code

# Fixed correctly in SUNMCPServer/LocalPrivatizedDeployment.md:
export AGENT_WALLET_DIR="$HOME/.agent-wallet"

# But Agent-Wallet FAQ.md still mentions:
ls ~/.agent-wallet/

Recommendation
Audit all uses of ~/.agent-wallet in the new documentation. Shell expansion of ~ works in interactive shells but is not guaranteed when a value is read programmatically (e.g., by an MCP server reading the env var). For env var declarations, consistently use $HOME/.agent-wallet.

[MN-02] Broken or Unverifiable Anchor Links to CLI Reference Section

Property	Value
Severity	Minor
Category	Correctness / Docs
File	`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md` : Line 143, `docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md` : Line 95

Description

Multiple places in the FAQ documents link to ../../../Agent-Wallet/Developer/CLI-Reference#agent-wallet-reset-reset-all-data. The anchor fragment #agent-wallet-reset-reset-all-data is a generated Markdown heading slug. The actual heading in CLI-Reference.md is ### \agent-wallet reset` (Reset All Data). Docusaurus generates heading slugs from the text, not the code, and backtick code spans affect slug generation. The actual generated anchor is likely #agent-wallet-reset-reset-all-datawhich matches, but the parentheses in the heading(Reset All Data)` get stripped. This should be verified — if the anchor does not match, the links will silently point to the top of the page.

Code

Run `agent-wallet reset` to wipe and start over — see [CLI Reference → Reset](../../../Agent-Wallet/Developer/CLI-Reference#agent-wallet-reset-reset-all-data)

Recommendation
Verify all cross-document anchor links using docusaurus build or a link checker. If the slug does not match, use an explicit {#custom-id} on the target heading:

### `agent-wallet reset` (Reset All Data) {#agent-wallet-reset}

Then update links to #agent-wallet-reset.

[MN-03] `raw_secret` Wallet Type Documented Without Sufficient CLI Discoverability Warning

Property	Value
Severity	Minor
Category	Security / Docs
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : Lines 18-26

Description

The CLI Reference documents raw_secret as a wallet type that "stores your private key unencrypted on disk." It includes a :::danger admonition advising against it for real funds. However, the QuickStart (docs/Agent-Wallet/QuickStart.md) shows an interactive wizard screenshot where the first option presented is local_secure — without mentioning that raw_secret exists at that stage. This is good. However, the CLI Reference's danger block does not tell users how to check whether an existing wallet is raw_secret vs. local_secure, which could be important for users who may have accidentally created a raw_secret wallet in the past.

Code

:::danger Avoid the `raw_secret` wallet type for real funds
The interactive wizard may offer a `raw_secret` option. This type stores your private key **unencrypted** on disk...
:::

Recommendation
Add a note explaining how to inspect wallet type:

agent-wallet inspect <wallet-id>  # shows wallet type in output

Or note that agent-wallet list shows the type column.

[MN-04] `package.json` Version Bump Is Undocumented

Property	Value
Severity	Minor
Category	Docs / Quality
File	`package.json` : Line 3

Description

The version is bumped from 1.2.3 to 1.2.4 with no changelog entry or release notes. For a documentation site, this may be inconsequential, but if the version is used to track deployed releases or is surfaced anywhere in the UI, a CHANGELOG or release note would help maintainers understand what changed.

Code

-  "version": "1.2.3",
+  "version": "1.2.4",

Recommendation
Maintain a CHANGELOG.md or at minimum document the version bump reason in the PR description. If the docs site version is purely internal bookkeeping, consider noting that in the package.json description field.

[MN-05] `workflow_dispatch` Comment Uses an Em Dash That May Cause YAML Parsing Issues on Older Tools

Property	Value
Severity	Minor
Category	Correctness
File	`.github/workflows/docker.yml` : Line 12

Description

The added comment contains a Unicode em dash character (—). While modern YAML parsers handle this without issue, some older CI tooling and YAML linters may flag non-ASCII characters in comments as warnings. This is a low-risk concern but worth noting for CI hygiene.

Code

  workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

Recommendation
Replace the em dash with a regular hyphen for maximum compatibility:

  workflow_dispatch: # Intentionally unrestricted - allows manual builds from any branch for flexibility

[S-01] Security Improvement: `echo $AGENT_WALLET_PASSWORD` Pattern Correctly Replaced

Property	Value
Severity	Suggestion
Category	Security / Quality
File	`docs/McpServer-Skills/MCP/SUNMCPServer/FAQ.md` : Lines 135-138

Description

The PR correctly replaces the dangerous echo $AGENT_WALLET_PASSWORD (which would print the password to terminal/logs) with a safe existence-check pattern. This is a good fix. Consider documenting this pattern in a shared security style guide so future doc contributors know to use it.

Code

# New (correct) pattern:
[[ -n "$AGENT_WALLET_PASSWORD" ]] && echo "Password is set" || echo "Password NOT set"

Recommendation
Add a note to the repository's contributing guide or documentation style guide: "When showing how to verify an environment variable is set, never use echo $SECRET_VAR. Use [[ -n "$SECRET_VAR" ]] && echo 'set' || echo 'not set' instead."

[S-02] `npx add-mcp` Tool Is Not a Well-Known Standard — No Validation That It Exists

Property	Value
Severity	Suggestion
Category	Correctness / Docs
File	`docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md` : Lines 47-52

Description

The PR replaces all client-specific MCP configuration instructions with npx add-mcp <url> -y. This tool (add-mcp) is not an officially recognized npm package in the broader MCP ecosystem and appears to be a project-specific or community tool. If the package is unmaintained, renamed, or removed from npm, all these documentation links become broken with no fallback instructions. Similarly, npx skills add used in the SKILLS QuickStart is project-specific. These tools' reliability and longevity should be validated.

Code

npx add-mcp https://tron-mcp-server.bankofai.io/mcp -y

Recommendation

Explicitly link to the npm page or GitHub repo for add-mcp so users can verify it.
Keep the manual JSON configuration as a fallback (see MJ-03).
Consider pinning a version: npx add-mcp@<version> to avoid unexpected breaking changes.

[S-03] SKILLS QuickStart Shows `x402-payment` with "Med" Security Alert Without Explanation

Property	Value
Severity	Suggestion
Category	Security / Docs
File	`docs/McpServer-Skills/SKILLS/QuickStart.md` : Lines 110-123

Description

The installation walkthrough shows a security assessment table where x402-payment has Med risk ratings from both Gen and Snyk, plus "1 alert." The guide then simply shows the user selecting "Yes" to proceed without explaining what the alerts are or how to evaluate them. Users following this walkthrough will develop a habit of clicking past security alerts without understanding them.

Code

│  x402-payment                      Med    1 alert  Med   │
...
◇  Proceed with installation?
│  Yes

Recommendation
Add a note explaining what Med means in this context and that users should review the specific alerts. For example: "The Med rating for x402-payment is typical for payment-related packages that handle cryptographic operations. Click the alert link to review the specific finding before proceeding."

[S-04] Openclaw QuickStart Uses Gamified "Level" Framing That May Obscure Critical Setup Steps

Property	Value
Severity	Suggestion
Category	Docs / Quality
File	`docs/Openclaw-extension/QuickStart.md` : Lines 28-60

Description

The new QuickStart uses a gaming metaphor ("Level 1", "Level 2", etc.) to describe installation steps. While this is engaging, critical steps like AgentWallet configuration are described as "just close your eyes and press Enter all the way through — the default values are perfectly fine." This may lead users to skip reviewing important security configuration without understanding what they are accepting.

Code

If you're a beginner, just close your eyes and press Enter all the way through — the default values are perfectly fine.

Recommendation
Retain the approachable tone but ensure security-relevant steps are explicitly identified. For example: "For beginners: the defaults are safe to accept. The one exception is your master password — make sure to copy it when shown." Avoid "close your eyes" phrasing for security-sensitive steps.

[S-05] zh-Hans Sidebar Uses Hardcoded Chinese String Instead of Translation Key

Property	Value
Severity	Suggestion
Category	Quality / Consistency
File	`i18n/zh-Hans/docusaurus-plugin-content-docs/current/sidebars.js` : Line 159

Description

The Chinese sidebar hardcodes the label '进一步探索' directly in the sidebar JS file rather than using a translation key (as is done for other categories). The English sidebar uses 'Explore Further' which Docusaurus resolves via current.json. The Chinese sidebar could also use 'Explore Further' as the key and rely on the translation file, keeping the pattern consistent.

Code

// In i18n/zh-Hans/...sidebars.js:
label: '进一步探索',  // hardcoded Chinese string

// vs. English sidebars.js:
label: 'Explore Further',  // resolved via current.json translation key

Recommendation
Use the same label key 'Explore Further' in the zh-Hans sidebar.js as well and rely on the current.json translation entry (which was also added in this PR: "sidebar.docsSidebar.category.Explore Further": { "message": "进一步探索", ... }). This makes future label changes consistent across both files.

[S-06] Commit History Contains Many Undescriptive "fix" Messages

Property	Value
Severity	Suggestion
Category	Quality / Maintainability
File	Git commit history

Description

17 of the 47 commits are titled "fix" with no additional context, and several others have misspellings ("fiix", "fxi"). While this does not affect the code itself, it makes bisecting and auditing history extremely difficult.

Code

47b8030 fxi
224d32d fiix
822bdae fix
3b87508 fix
824c0d7 fix
...

Recommendation
Adopt a commit convention (e.g., Conventional Commits: docs:, fix:, feat:) and consider squashing fixup commits before merging to main to maintain a clean, navigable history.

Positive Observations

Area	Observation
Security: CI credential hygiene	The debug step that echoed Docker Hub credentials (`echo "username=[$DOCKERHUB_USERNAME]"`) was correctly removed. This was a clear security anti-pattern.
Security: env var quoting	Multiple locations correctly changed double-quoted env var assignments (`"your_password"`) to single-quoted (`'your_password'`) to prevent shell expansion of special characters in passwords.
Security: password existence check	Replaced `echo $AGENT_WALLET_PASSWORD` (which reveals the password) with `[[ -n "$AGENT_WALLET_PASSWORD" ]]` (which only checks existence) — a meaningful security improvement in user-facing docs.
Documentation depth	The new Agent Wallet documentation is comprehensive, covering beginner to developer audiences with consistent cross-references, dual TypeScript/Python examples, and well-structured admonition blocks.
Security documentation	The Agent Wallet introduction clearly explains the two-lock security model, the threat model (dependency chain poisoning, accidental log exposure, git history), and how `local_secure` mitigates each.
Error handling examples	The SDK Guide includes explicit error handling patterns with typed exceptions (`WalletNotFoundError`, `DecryptionError`, `SigningError`), which is developer-friendly and promotes defensive coding.
Client-agnostic improvements	Replacing "Claude Desktop" specificity with generic "MCP client" language throughout is a meaningful improvement to the longevity of the documentation.
Inline warnings on dangerous operations	The `agent-wallet reset` command is consistently accompanied by strong warnings about irreversibility and the need to back up funds first.
Chinese translation coverage	All new English documentation has corresponding Chinese translations, maintaining full i18n coverage.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	8	6	2	0	Anchor link correctness unverified (MN-02); `~` vs `$HOME` inconsistency (MN-01)
Security	10	8	2	0	`workflow_dispatch` unrestricted push (MJ-01); `echo $PASSWORD` patterns fixed; credential debug step removed
Performance	3	3	0	0	No performance-affecting code; documentation only
Code Quality	8	5	3	0	Undescriptive commit messages (S-06); zh-Hans hardcoded label (S-05); missing fallback config examples (MJ-03)
Testing	4	2	0	2	No tests applicable to documentation; workflow CI tests are not modified
Documentation	12	11	1	0	SDK Cookbook lacks mainnet API key guidance (MJ-02)
Compatibility	5	4	1	0	Removal of per-client JSON examples is a regression for unsupported clients (MJ-03)
Observability	3	3	0	0	Error types documented; no application code changed

Disclaimer

This is an automated code review. It supplements but does not replace human review.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-24

github-actions · 2026-03-24T10:59:41Z

Code Review Report

Project: @x402-tron/docs (Docusaurus documentation site)
PR: main → update-mcp-server
Review Date: 2026-03-24
Reviewer: AI Code Reviewer (Code Review Skill v1.0.0)

PR Overview

Branch Information

Property	Value
From Branch	`remotes/origin/main`
To Branch	`remotes/origin/update-mcp-server`
Commits	45
Files Changed	54
Lines Added	+5,688
Lines Removed	-2,906

Commit History (Recent)

Hash	Message
`684fd9d`	config to install
`88515e5`	add setup mode
`533abed`	skills quickstart Double Quotes to Single Quotes
`b9fb0cc`	update setup process
`4c3b71b`	fix
`65940fe`	add restart ai agent
`6b6423b`	delete tron mcp server trongrid
`249c43b`	Update Official Cloud Service MCP Usage Steps
`b6621a6`	update skill and setup way
`26ff9f5`	fix MAJOR-1: echo $AGENT_WALLET_PASSWORD Instructs Users to Print Password to Terminal

Review Summary

Verdict

Verdict: ✅ Approve with Minor Notes

Findings at a Glance

	Critical	Major	Minor	Suggestion
Count	0	1	3	3

Summary

This PR is a large documentation update for the @x402-tron/docs Docusaurus site. The primary changes are: (1) an entirely new Agent Wallet documentation section (intro, quick start, FAQ, CLI reference, SDK guide, SDK cookbook — in both English and Simplified Chinese), (2) a significant rewrite of the MCP Server access docs to use the new npx add-mcp auto-install flow, (3) a new SKILLS quick start guide, and (4) a CI/CD security fix removing a debug step that was printing Docker Hub credentials to CI logs.

Overall the documentation quality is high: security warnings are prominently placed using Docusaurus admonition blocks (:danger:, :::caution), code examples are dual-language (TypeScript + Python), and the writing is clear. One Major finding relates to the unrestricted workflow_dispatch trigger that allows any branch to push a Docker image to Docker Hub. Three Minor issues were identified around a repeated example password, an incomplete i18n translation key, and a sidebar reference to BSC MCP Server pages that are not present in this PR. Three Suggestions address link-correctness hygiene, the missing Agent Wallet i18n category label, and a changelog entry.

Change Summary

1. CI/CD Pipeline — `docker.yml`

File	Change Type	Description
`.github/workflows/docker.yml`	Modified	Replace `ai-bankofai-patch-1` branch references with `update-mcp-server`; remove debug step that printed Docker Hub credentials; add comment on `workflow_dispatch`

Purpose: Keep the build pipeline aligned with the new working branch, and remove a pre-existing security concern where the CI step echoed DOCKERHUB_USERNAME and the length of DOCKERHUB_TOKEN to the GitHub Actions log.

2. New Agent Wallet Documentation (English)

File	Change Type	Description
`docs/Agent-Wallet/Intro.md`	Added	Overview of Agent Wallet, supported chains, architecture, links
`docs/Agent-Wallet/QuickStart.md`	Added	Step-by-step guide: install Node.js, create wallet, configure password, call from OpenClaw
`docs/Agent-Wallet/FAQ.md`	Added	Security model, encryption details, troubleshooting 12 common questions
`docs/Agent-Wallet/Developer/CLI-Reference.md`	Added	Full CLI command reference including automation, dangerous operations, shell script example
`docs/Agent-Wallet/Developer/SDK-Guide.md`	Added	SDK integration guide with environment variable configuration, supported networks, error handling
`docs/Agent-Wallet/Developer/SDK-Cookbook.md`	Added	End-to-end code examples: TRON TRX transfer, BSC BNB transfer, x402 PaymentPermit signing

Purpose: Introduces a complete documentation section for the Agent Wallet product that was previously undocumented.

3. New Agent Wallet Documentation (Chinese — `i18n/zh-Hans`)

File	Change Type	Description
`i18n/zh-Hans/.../Agent-Wallet/Intro.md`	Added	Chinese translation of Intro
`i18n/zh-Hans/.../Agent-Wallet/QuickStart.md`	Added	Chinese translation of QuickStart
`i18n/zh-Hans/.../Agent-Wallet/FAQ.md`	Added	Chinese translation of FAQ
`i18n/zh-Hans/.../Agent-Wallet/Developer/CLI-Reference.md`	Added	Chinese translation of CLI Reference
`i18n/zh-Hans/.../Agent-Wallet/Developer/SDK-Guide.md`	Added	Chinese translation of SDK Guide
`i18n/zh-Hans/.../Agent-Wallet/Developer/SDK-Cookbook.md`	Added	Chinese translation of SDK Cookbook
`i18n/zh-Hans/.../current.json`	Modified	Added `"Explore Further"` → `"进一步探索"` sidebar label translation

Purpose: Provides full Chinese localisation parity for the new Agent Wallet section.

4. MCP Server Documentation Rewrite

File	Change Type	Description
`docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md`	Modified	Replaces multi-tab manual JSON config with `npx add-mcp` auto-install flow
`docs/McpServer-Skills/MCP/TRONMCPServer/LocalPrivatizedDeployment.md`	Modified	Simplified installation steps, removed verbose tab-based config blocks
`docs/McpServer-Skills/MCP/TRONMCPServer/QuickStart.md`	Modified	Updated to reference new auto-install command
`docs/McpServer-Skills/MCP/TRONMCPServer/Intro.md`	Modified	Minor wording updates
`docs/McpServer-Skills/MCP/TRONMCPServer/FAQ.md`	Modified	Updated FAQ entries
`docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md`	Modified	Changed `list_wallets`/`select_wallet` descriptions to link to Agent Wallet docs
`docs/McpServer-Skills/MCP/SUNMCPServer/*.md`	Modified	Parallel updates to SUN MCP Server docs
`docs/McpServer-Skills/MCP/Intro.md`	Modified	Minor update
All corresponding `i18n/zh-Hans/…/MCP/…`	Modified	Chinese translations updated in parallel

Purpose: Modernises the MCP Server setup experience from manual copy-paste JSON config to a one-line npx add-mcp command. This is a significant UX improvement.

5. SKILLS Documentation Updates

File	Change Type	Description
`docs/McpServer-Skills/SKILLS/QuickStart.md`	Added	New quick start guide using `npx skills add` command
`docs/McpServer-Skills/SKILLS/Intro.md`	Modified	Revised introduction, added references to new QuickStart
`docs/McpServer-Skills/SKILLS/BANKOFAISkill.md`	Modified	Renamed section, condensed skill catalog
`docs/McpServer-Skills/SKILLS/Faq.md`	Modified	Updated FAQ entries

Purpose: Brings SKILLS documentation to the same structural standard as MCP Server docs.

6. Openclaw Extension Documentation

File	Change Type	Description
`docs/Openclaw-extension/Intro.md`	Modified	Wording updates, additional context
`docs/Openclaw-extension/QuickStart.md`	Modified	Revised installation steps
`docs/Openclaw-extension/FAQ.md`	Modified	Expanded FAQ

Purpose: General documentation refresh for the Openclaw Extension section.

7. Sidebar and Package Updates

File	Change Type	Description
`sidebars.js`	Modified	Added "Agent Wallet" category; added `SKILLS/QuickStart` entry
`i18n/zh-Hans/.../sidebars.js`	Modified	Added "Agent Wallet" category (Chinese version)
`package.json`	Modified	Version bump `1.2.3` → `1.2.4`

Purpose: Registers all new documentation pages in the navigation sidebar.

Detailed Findings

Major

[MJ-01] Unrestricted `workflow_dispatch` Allows Any Branch to Push to Docker Hub

Property	Value
Severity	Major
Category	Security / CI-CD
File	`.github/workflows/docker.yml` : Lines 13–14

Description

The workflow_dispatch trigger has no branch restriction, which means any user with repository write access can manually trigger a Docker build from any branch — including unreviewed feature branches — and push the resulting image to Docker Hub (because push: ${{ github.event_name != 'pull_request' }} evaluates to true for workflow_dispatch events).

While the image is tagged only as test, the push still overwrites the test tag on Docker Hub. If consumers or CI pipelines depend on that tag for staging or validation environments, an accidental or malicious manual dispatch from an unstable branch could introduce a bad image.

The added comment acknowledges this was intentional ("allows manual builds from any branch for flexibility"), but the risk of overwriting the shared test tag is not documented.

Code

- # Before:
-   workflow_dispatch:
+ # After:
+   workflow_dispatch: # Intentionally unrestricted — allows manual builds from any branch for flexibility

Recommendation

Add an environment gate or explicit if condition to the push step for workflow_dispatch events, so that manual dispatches on non-main/non-master branches build but do not push to the registry:

      - name: Build and push Docker image
        uses: docker/build-push-action@v6
        with:
          context: .
          # Only push on push events to main/master/tags, or on workflow_dispatch from main/master
          push: ${{ github.event_name == 'push' || (github.event_name == 'workflow_dispatch' && (github.ref == 'refs/heads/main' || github.ref == 'refs/heads/master')) }}

Alternatively, add a note in the comment explaining which tag test maps to and whether consumers are expected to depend on it.

Minor

[MN-01] Repeated Weak Example Password May Confuse Security-Conscious Users

Property	Value
Severity	Minor
Category	Documentation / Security
File	`docs/Agent-Wallet/Developer/CLI-Reference.md` : Lines 29, 44, 81, 88, 170, 185, 216, 238 (and equivalents in SDK-Guide, QuickStart, zh-Hans translations)

Description

The password Abc12345! is used as the example value throughout all Agent Wallet documentation (CLI Reference, SDK Guide, QuickStart, SDK Cookbook). This exact string meets the tool's stated password requirements (8+ chars, upper, lower, digit, special), which may lead less-experienced users to copy it verbatim as their actual master password — particularly in quick-start or automation setups.

The documentation does contain :::caution Shell history risk and :::danger admonitions, but these appear after the command examples and may not be read by users who copy commands directly.

Code

agent-wallet start -p Abc12345!
export AGENT_WALLET_PASSWORD='Abc12345!'
agent-wallet sign msg "Hello" -n tron -p 'Abc12345!' --save-runtime-secrets

Recommendation

Replace the literal Abc12345! with a clearly placeholder-style value such as <YourPassword123!> or 'YOUR_MASTER_PASSWORD'. This makes it immediately obvious that the user must substitute their own credential:

agent-wallet start -p '<YourPassword123!>'
export AGENT_WALLET_PASSWORD='<YourPassword123!>'

If a concrete-looking example is preferred for visual clarity, prepend a code comment:

# Replace the password below with your own — do NOT use this example value
export AGENT_WALLET_PASSWORD='Abc12345!'

[MN-02] i18n Translation Key Missing for "Agent Wallet" Sidebar Category Label

Property	Value
Severity	Minor
Category	Documentation / Compatibility
File	`i18n/zh-Hans/docusaurus-plugin-content-docs/current.json` : End of file

Description

The PR correctly adds the "Explore Further" → "进一步探索" translation to current.json, but it does not add a translation key for the parent "Agent Wallet" sidebar category label. The zh-Hans sidebars.js currently hardcodes the English string 'Agent Wallet' directly in the label field:

{
  type: 'category',
  label: 'Agent Wallet',   // ← not translated
  ...
}

This is inconsistent with other translated sections (e.g., 'Openclaw 扩展插件', 'MCP 服务器') which use Chinese labels directly, and differs from how the "Explore Further" sub-category is translated via current.json.

Code (i18n/zh-Hans/docusaurus-plugin-content-docs/current/sidebars.js)

{
  type: 'category',
  label: 'Agent Wallet',   // should be '智能体钱包' or similar
  collapsed: false,
  items: [ ... ]
}

Recommendation

Either:

Change the label in zh-Hans sidebars.js to the Chinese equivalent (e.g., '智能体钱包'), or
Add a translation key in current.json:

"sidebar.docsSidebar.category.Agent Wallet": {
  "message": "智能体钱包",
  "description": "The label for category Agent Wallet in sidebar docsSidebar"
}

and use translationId in the sidebars entry.

[MN-03] Sidebars Reference BSC MCP Server Pages Not Included in This PR

Property	Value
Severity	Minor
Category	Correctness / Documentation
File	`sidebars.js` : BSC MCP Server category block (lines ~115-130 in updated file)

Description

The updated sidebars.js contains a sidebar category for BSC MCP Server that references three doc IDs:

{
  type: 'category',
  label: 'BSC MCP Server',
  collapsed: true,
  items: [
    'McpServer-Skills/MCP/BSCMCPServer/Intro',
    'McpServer-Skills/MCP/BSCMCPServer/Features',
    'McpServer-Skills/MCP/BSCMCPServer/Installation',
  ],
},

None of these files (BSCMCPServer/Intro.md, BSCMCPServer/Features.md, BSCMCPServer/Installation.md) are present in the diff or otherwise added in this PR. If the Docusaurus build runs with docs.onBrokenLinks: 'throw' (the default), this will cause a build failure. If set to 'warn', broken links will silently appear in the built site.

Recommendation

Either:

Add the missing BSC MCP Server documentation files in this PR (or a follow-up), or
Remove the BSC MCP Server sidebar entry until the corresponding pages are ready:

// TODO: Add BSC MCP Server docs before re-enabling this sidebar entry
// {
//   type: 'category',
//   label: 'BSC MCP Server',
//   ...
// }

Suggestions

[S-01] Run a Broken Link Check Before Merging

File: Multiple MCP Server docs (e.g., docs/McpServer-Skills/MCP/TRONMCPServer/ToolList.md, docs/McpServer-Skills/MCP/TRONMCPServer/OfficialServerAccess.md)

Description: The MCP Server documentation introduces a number of new cross-document links pointing to the new Agent-Wallet/Intro pages. While the target pages exist in this PR, a Docusaurus build should be run to validate that no links are broken — especially given [MN-03] above with the BSC MCP Server references.

Suggestion: Add a CI step or pre-merge gate:

yarn build  # Will throw on broken links by default in Docusaurus

This ensures any broken internal links are caught automatically.

[S-02] Document the `test` Docker Tag Semantics in `docker.yml`

File: .github/workflows/docker.yml

Description: The Docker image is always tagged test regardless of the source branch. There is no indication in the workflow of who consumes this tag or what contract it represents. Related to [MJ-01], callers relying on the test tag for CI/CD validation could be silently broken by accidental or premature pushes.

Suggestion: Add a comment block near the tag configuration clarifying the expected usage lifecycle of the test tag and whether it represents a stable preview or a volatile snapshot.

[S-03] Consider Adding a `CHANGELOG` or Release Notes Entry

File: package.json (version 1.2.4), documentation root

Description: The version bump to 1.2.4 is unaccompanied by any CHANGELOG.md or release note entry. For a documentation project, a brief changelog entry makes it easier to communicate what new content was added in each release (e.g., for internal stakeholders, link-sharing, or versioned docs).

Suggestion: Add a CHANGELOG.md entry (or update an existing one) noting the addition of the Agent Wallet documentation section and the MCP Server auto-install flow changes.

Positive Observations

Area	Observation
Security Fix	The removal of the "Debug Docker Hub secrets" step (which was printing `DOCKERHUB_USERNAME` and token length to CI logs) is an excellent proactive security improvement.
Security Documentation	New Agent Wallet docs consistently use `:::danger` and `:::caution` admonition blocks to call out high-risk operations (e.g., `raw_secret` mode, inline `-p` flag, `--save-runtime-secrets`). The coverage is thorough and appropriately placed.
Dual-Language Code Examples	All SDK Cookbook examples are provided in both TypeScript and Python with tab switching — a best practice for a multi-language developer audience.
Validated Code Patterns	The SDK Cookbook includes runtime validation checks after each API call (e.g., checking for missing `txID` and `signature` fields after TronGrid calls, JSON parse error handling).
CI Best Practice	The new CI/CD example in `CLI-Reference.md` correctly uses `${{ secrets.AGENT_WALLET_PASSWORD }}` and explicitly warns against hardcoding passwords in workflow files.
Non-Breaking Navigation	The new `Agent-Wallet` sidebar category is inserted between existing sections without disrupting the existing navigation order.
Shell Quoting Guidance	The documentation consistently warns about using single quotes vs. double quotes for passwords with special characters in shell environments — a common source of subtle bugs.
Progressive Disclosure	Quick Start pages cover the minimal path with links to deeper references (CLI Reference, SDK Guide, SDK Cookbook, FAQ), following a good progressive-disclosure documentation pattern.

Checklist Results

Category	Items Checked	Pass	Fail	N/A	Notes
Correctness	5	4	1	-	MN-03: broken sidebar references to BSC MCP Server pages
Security	6	5	1	-	MJ-01: unrestricted workflow_dispatch can push to Docker Hub from any branch
Performance	3	-	-	3	No runtime code changed; N/A for docs-only changes
Code Quality	5	4	1	-	MN-01: example password `Abc12345!` reused ubiquitously
Testing	3	-	-	3	No application tests; docs site relies on Docusaurus build validation
Documentation	6	5	1	-	MN-02: missing i18n translation key for "Agent Wallet" category label
Compatibility	3	3	-	-	sidebars.js structure correct, package.json version bump appropriate
Observability	2	2	-	-	Debug secrets step correctly removed; remaining logging is appropriate

Disclaimer

This is an automated code review. It supplements but does not replace human review. The reviewer analyzed only the diff between remotes/origin/main and remotes/origin/update-mcp-server. Runtime behavior, integration testing, and deployment impact are not covered. Documentation accuracy (e.g., correctness of blockchain API URLs, SDK method signatures) has not been independently verified against live services.

Report generated by Code Review Skill v1.0.0
Date: 2026-03-24

jizhen181-dot added 17 commits March 18, 2026 20:23

fix

24cf00e

Merge pull request #26 from BofAI/ai-bankofai-patch-1

fb1737f

Ai bankofai patch 1

fix

e5f417e

fix

956060e

fix

a541e97

fix

5dfcb8a

fix

2e02cab

Merge pull request #28 from BofAI/ai-bankofai-patch-1

7fe32d7

fix

fxi

47b8030

fix

17c1057

fix

824c0d7

fix

3b87508

fiix

224d32d

fix

822bdae

Merge branch 'main' into update-mcp-server

1ebd798

update

6728342

update

a956313

jizhen181-dot closed this Mar 21, 2026

jizhen181-dot reopened this Mar 21, 2026

jizhen181-dot added 2 commits March 22, 2026 03:22

update agent-wallet

e88dbfc

fix

bc4a8f0

update

b1bfecd

fix

cf49298

fix

b8ea082

fix audit suggestion

bafd81b

update agent wallet

5ecdb8c

update skills

11c00b5

update skill intro

6295071

update skill intro

2248698

update skills

590e69e

update skill and setup way

b6621a6

delete permanently

7fedc2e

Update Official Cloud Service MCP Usage Steps

249c43b

jizhen181-dot added 4 commits March 24, 2026 00:07

delete tron mcp server trongrid

6b6423b

add restart ai agnet

65940fe

fix

4c3b71b

update setup process

b9fb0cc

skills quickstart Double Quotes to Single Quotes

533abed

add setup mode

88515e5

config to install

684fd9d

Will-Guan approved these changes Mar 24, 2026

View reviewed changes

Will-Guan merged commit 763194a into main Mar 24, 2026
4 checks passed

github-actions Bot mentioned this pull request Mar 25, 2026

Update mcp server #37

Merged

Conversation

jizhen181-dot commented Mar 20, 2026

Uh oh!

github-actions Bot commented Mar 21, 2026

Code Review Report

PR Overview

Branch Information

Commit History

Review Summary

Verdict

Findings at a Glance

Summary

Change Summary

1. New Agent-Wallet Documentation (English)

2. New Agent-Wallet Documentation (Chinese / zh-Hans)

3. MCP Server Documentation Refactor

4. Configuration & CI Changes

Detailed Findings

Major

[MJ-01] Shell History Exposes Master Password When Following QuickStart Instructions

[MJ-02] CI Debug Step Leaks Docker Hub Username to Public Workflow Logs

Minor

[MN-01] TypeScript EVM Example Uses Non-Null Assertion on Potentially Null feeData Fields

[MN-02] bankofai-recharge Table Link Points to a Live MCP Endpoint, Not a Documentation Page

[MN-03] Feature Branch Trigger Retained in Docker CI Workflow May Persist After Merge

[MN-04] Inconsistent Commit Message Quality Makes Change History Hard to Navigate

Suggestions

[S-01] Add Guidance to Prevent Shell History Exposure via HISTIGNORE

[S-02] Document File Permissions for runtime_secrets.json

[S-03] Consider Adding GitHub Actions Secret Usage Example for CI/CD Workflows

Positive Observations

Checklist Results

Disclaimer

Uh oh!

github-actions Bot commented Mar 21, 2026

PR Audit Report

PR Overview

Commit Summary (most recent first)

Files Changed (Grouped)

Change Summary

1. New Agent-Wallet Documentation Suite

2. MCP Server Docs — Agent-Wallet Cross-linking

3. Sidebar Navigation

4. CI/CD Branch Reference Update

5. Package Version Bump

6. Openclaw Intro Link Fix

Detailed Findings

Security Findings

FINDING-001 — --save-runtime-secrets Missing Security Warning

FINDING-002 — Double-Quote Password Escape Fixed in New Docs but Only Partially Propagated

Correctness & Logic Findings

FINDING-003 — agent-wallet init Command Referenced in Legacy Docs Was Correctly Removed

FINDING-004 — Python EVM Broadcast: bytes.fromhex() Assumes Hex Without 0x Prefix

FINDING-005 — Sidebar Agent Wallet Category Is Not Translated in zh-Hans current.json

FINDING-006 — runtime_secrets.json Password Cache Has No Documented Revocation/Cleanup Path

Documentation Quality Findings

FINDING-007 — SDK-Cookbook x402 PaymentPermit Example Is Incomplete (No Error Handling, No Retry)

FINDING-008 — CI Workflow Branch Trigger Includes update-mcp-server — Should Be Cleaned Before Merge

FINDING-009 — Commit Messages Provide No Useful History

FINDING-010 — Password Inline Examples in CLI-Reference Use Weak Placeholder Password

FINDING-011 — Intro.md Comparison Table Uses Non-Standard Docusaurus Emoji Syntax

Positive Observations

Review Verdict

Uh oh!

github-actions Bot commented Mar 22, 2026

Code Review Report

PR Overview

Branch Information

Commit History

Review Summary

Verdict

Findings at a Glance

Summary

Change Summary

1. New Agent-Wallet Documentation (6 new files)

2. MCP Server Docs Refactoring (5 modified files)

3. Cross-Linking and Minor Doc Fixes (2 modified files)

4. Navigation and Configuration

5. Chinese i18n Content (6 new files)

Detailed Findings

[MN-01] TypeScript EVM Example Uses Non-Null Assertion on Potentially Null `feeData` Fields

[MN-02] `bankofai-recharge` Table Link Points to a Live MCP Endpoint, Not a Documentation Page

[S-02] Document File Permissions for `runtime_secrets.json`

FINDING-001 — `--save-runtime-secrets` Missing Security Warning

FINDING-003 — `agent-wallet init` Command Referenced in Legacy Docs Was Correctly Removed

FINDING-004 — Python EVM Broadcast: `bytes.fromhex()` Assumes Hex Without `0x` Prefix

FINDING-005 — Sidebar `Agent Wallet` Category Is Not Translated in zh-Hans `current.json`

FINDING-006 — `runtime_secrets.json` Password Cache Has No Documented Revocation/Cleanup Path

FINDING-008 — CI Workflow Branch Trigger Includes `update-mcp-server` — Should Be Cleaned Before Merge

FINDING-011 — `Intro.md` Comparison Table Uses Non-Standard Docusaurus Emoji Syntax

[MJ-01] `--save-runtime-secrets` Documented Without a Security Warning

[MJ-02] `echo` Command in QuickStart Silently Corrupts Passwords Containing Single Quotes

[S-01] `package.json` Description Does Not Reflect Expanded Project Scope

[S-02] `AGENT_WALLET_DIR` Environment Variable Example Uses Potentially Non-Expanding Tilde

[S-03] `--save-runtime-secrets` Flow Does Not Show File Location Verification

[MJ-01] Non-null Assertions on `feeData` Fields in TypeScript EVM Example

[MJ-02] Stale `agent-wallet init` → `agent-wallet start` Transition Not Explicitly Noted

[MN-03] Missing Blank Line Before `---` Separator in Chinese CLI Reference

[S-02] `QuickStart.md` Step 2: Echo Command May Double-Write if Already Configured

[S-03] `SDK-Guide.md`: `AGENT_WALLET_DIR` Default Uses `~` Which May Not Expand in All Contexts

[S-04] `LocalPrivatizedDeployment.md`: Leftover `AGENT_WALLET_DIR` Still Uses Double Quotes