Dangerous action found
sendNative / sendToken / swap (write capabilities) — signs and broadcasts on-chain fund transfers and swaps across multiple chains from the agent wallet.
// src/server.ts · capability dispatch closure (server.tool callback, ~line 141) const result = await cap.invoke(client, rest as never);
Currently: runs unguarded — write-kind capabilities broadcast irreversible on-chain transactions; the only switch is an all-or-nothing BVCC_MCP_READONLY flag, no per-action human authorization.
Proposed fix — Receipt Required
Gate the write branch in the dispatch closure (src/server.ts:141): when cap.kind===write, require a @emilia-protocol/require-receipt authorization receipt before cap.invoke — one chokepoint covering every fund-moving tool.
Result after patch (RR-1):
Scope: this is a static reference-implementation assessment of a missing human-authorization receipt on one irreversible action, derived from the repository’s public source. It is not a vulnerability report, not a claim the action is exploitable, and not auth or permissions. Maintainer active (last push 2026-06-29). Handler bodies live in the external @bvcc/agent-sdk; the in-repo seam is the dispatch closure. Report intended to go live alongside a fix PR.