AntFleet

Disagreement · 8dbec532-openai-2

SKILL env metadata for opensea-wallet omits variables required by referenced setup flows (Turnkey RPC URL, private-key envs, Privy auth signing key)

mismatch
repo a16d2030·PR #2·reviewed 1 week ago

Primary finding

SKILL env metadata for opensea-wallet omits variables required by referenced setup flows (Turnkey RPC URL, private-key envs, Privy auth signing key)

mediumapi-contracthigh
  • opensea/opensea-wallet/SKILL.md:7-45
  • opensea/opensea-wallet/references/wallet-setup.md
  • opensea/opensea-wallet/references/wallet-setup.md
  • opensea/opensea-wallet/references/wallet-setup.md
Consumers rely on the SKILL’s `env` metadata to know what to configure. The manifest omits variables later required by the Turnkey setup (`TURNKEY_RPC_URL`), private-key setup (`PRIVATE_KEY`, `RPC_URL`, `WALLET_ADDRESS`), and hardened Privy setup (`PRIVY_AUTH_SIGNING_KEY`). This mismatch will cause failed runs or confusion in environments that generate UIs/prompts from the manifest.

Recommendation

Update `opensea-wallet/SKILL.md` env metadata to include: - TURNKEY_RPC_URL (required for Turnkey adapter) - PRIVATE_KEY, RPC_URL, WALLET_ADDRESS (for private-key adapter; clearly mark as not recommended) - PRIVY_AUTH_SIGNING_KEY (when owner-enforced auth is enabled) Set accurate `required` flags and brief obtain/usage notes.

Counterpart finding

Conflicting auto-detect order between SKILL.md text and env var docs

lowdocs-gapmedium
  • opensea/opensea-wallet/SKILL.md:96
  • opensea/opensea-wallet/SKILL.md:26-30
SKILL.md lists Privy as 'default provider' and gives an auto-detect order that places Fireblocks ahead of Turnkey, but the supported-providers table earlier in the same file lists Privy/Turnkey/Fireblocks/Bankr/Private Key in a different order. There is no canonical source-of-truth file in the PR establishing detection order, so a user inferring behavior from the table would expect Turnkey before Fireblocks. If the implementation diverges from this prose ordering, agents will silently pick up the 'wrong' provider when multiple credentials are present (a common operator mistake). This is not necessarily wrong, but the doc itself does not internally agree.

Recommendation

State the detection order once, near the providers table, and either reference the implementation file or pin a test that asserts the order. Ensure both the auto-detect prose and the references/wallet-setup.md are consistent.

Why this didn't post

This finding didn't meet AntFleet's unanimous agreement threshold. Both frontier models review every PR independently; only findings they both flag with the same severity and category are posted to the PR. This one fell through.

read the methodology →
← back to all disagreementsview public receiptssee unanimous findings + anatomies →
Tweet ↗