Skip to content

Add vigil: Onchain security scanner for DeFi traders on Base#438

Closed
vigilcodes wants to merge 4 commits into
BankrBot:mainfrom
vigilcodes:add-vigil-skill
Closed

Add vigil: Onchain security scanner for DeFi traders on Base#438
vigilcodes wants to merge 4 commits into
BankrBot:mainfrom
vigilcodes:add-vigil-skill

Conversation

@vigilcodes

@vigilcodes vigilcodes commented Jun 2, 2026
edited
Loading

Copy link
Copy Markdown

Summary

Adds VIGIL — an agent-based MCP security server for onchain DeFi protection on Base.

What It Does

  • Approval Scanner — List all ERC-20/ERC-721 approvals, flag unlimited approvals
  • Token Scanner — Analyze contracts for rugpull indicators (hidden mint, proxy, tax manipulation, blacklist)
  • Honeypot Detector — Simulate buy/sell to detect trap tokens
  • Safety Score — 0-100 composite rating based on code analysis, ownership, liquidity
  • Approval Revoker — Revoke dangerous approvals via Bankr transaction signing (gated, requires BANKR_API_KEY + explicit confirmation)
  • Wallet Report — Full security posture assessment

The live endpoint now exposes 11 read-only tools (approvals, token scan, honeypot, safety score, wallet report, wallet monitor, market, deployer check, batch scan, scam check, sentinel status). Read-only scans need no API key.

MCP Integration

Runs as a standard MCP server (stdio/SSE). Compatible with Claude Desktop, Cursor, Aeon, and any MCP client. Plain JSON-RPC over POST https://mcp.vigil.codes/tools/call is also supported for shell clients.

Ecosystem

Files

  • SKILL.md — Full skill definition with task guide
  • scripts/ — shell scripts for CLI usage (hardened: strict ^0x[0-9a-f]{40}$ input validation, loud error handling)
  • references/ — API docs, contracts, tokenomics, Bankr integration

GitHub

https://github.com/vigilcodes/vigil-mcp

Website

https://vigil.codes

@vigilcodes vigilcodes mentioned this pull request Jun 2, 2026
Merged
vigilcodes added 2 commits June 2, 2026 16:01
@vigilcodes
fix: HTTPS endpoint, correct capabilities, proper JSON-RPC wiring
14658ee
@vigilcodes
fix(vigil): working scripts against live endpoint + new tools
8ecfb05 
The scripts called a REST API that doesn't exist (api.bankr.bot/vigil/...),
so every command failed. Rewrite them against the live JSON-RPC endpoint
(mcp.vigil.codes/tools/call) with a shared helper.

- _vigil_lib.sh: strict 0x-address validation (anti shell-injection),
  chain validation, and vigil_call() that checks HTTP + JSON-RPC errors.
- Rewrite token/honeypot/score/approvals/report to use vigil_call.
- Add market, deployer, check-scam scripts for the new tools.
- revoke + batch-revoke route signing through the Bankr agent.
- report-scam: safe JSON escaping of the description.
- SKILL.md: document 9 read-only tools; harden input validation and add
  an error-checked call helper across all steps.
- Remove unused tokenomics reference.

Verified live against $VIGIL and a real wallet.
@vigilcodes

vigilcodes commented Jun 4, 2026

Copy link
Copy Markdown
Author

Pushed an update that makes the skill actually functional end-to-end.

What changed

  • The scripts previously called a REST API that doesn't exist (api.bankr.bot/vigil/token/scan?...), so every command failed at runtime. They now call the live JSON-RPC endpoint POST https://mcp.vigil.codes/tools/call (verified 200).
  • Added a shared _vigil_lib.sh helper with:
    • strict address validation (^0x[0-9a-f]{40}$) — rejects quotes/spaces/metacharacters before any curl (no shell injection),
    • chain validation,
    • a vigil_call() that checks HTTP status + JSON-RPC error bodies before parsing, so a failed call never reports a clean scan.
  • Read-only scans (token, honeypot, score, approvals, report, market, deployer, scam check) need no API key. Only revoke requires Bankr.
  • revoke / batch-revoke route signing through the Bankr agent (scan via VIGIL, sign via Bankr).
  • Added scripts for the new tools: vigil-market.sh, vigil-deployer.sh, vigil-check-scam.sh.
  • SKILL.md now documents 9 read-only tools and uses the hardened, error-checked call pattern.

Verified live against $VIGIL and a real wallet — e.g. vigil-score.sh83/100, low, vigil-honeypot.shnot a honeypot (via GoPlus). Wallet approval scans return in ~1s.

Ready for review — thanks!

@vigilcodes vigilcodes mentioned this pull request Jun 5, 2026
Open
@vigilcodes

vigilcodes commented Jun 6, 2026

Copy link
Copy Markdown
Author

Quick update for reviewers 🙏

VIGIL is now merged into the Aeon agent framework (aaronjmars/aeon#323) after a 3-round technical review — HTTPS endpoint, strict input validation, and verified end-to-end MCP calls all signed off.

Two notes:

Ready for review whenever a maintainer has a moment. Happy to address any feedback.

@vigilcodes

vigilcodes commented Jun 17, 2026

Copy link
Copy Markdown
Author

Superseded by #480, which reworks this into a single clean skill folder (vigil-security-scanner/) matching the current SKILL.md format spec: proper YAML frontmatter, 13 tools incl. the new liquidity lock scanner, 6-source consensus, and a focused api-reference. Closing this one to avoid duplication — please review #480 instead. Thanks!

@vigilcodes vigilcodes closed this Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@vigilcodes