If you find a security issue in ASPForge, please open a GitHub issue with as much detail as you're comfortable including (affected endpoint/tool, reproduction steps, potential impact). For anything sensitive enough that you'd rather not post publicly, reach out to the maintainer directly before disclosing it in an issue.
Please don't open a public issue for a vulnerability that's actively exploitable against a live deployment until there's been a chance to fix it.
ASPForge is advisory software: it validates draft input and never calls OKX's real onchainos CLI or submits anything to OKX.AI on a caller's behalf. Wallet signatures stay inside the user's wallet. ASPForge never requests, stores, or transmits a wallet private key or recovery phrase.
The web app (web/) accepts unauthenticated POST requests to /api/scorecard and /api/launchpack. Both are rate-limited and input-validated at the boundary before reaching the core engine. The current application limiter is per server instance, while Vercel remains responsible for platform-level abuse controls. Reports of ways around either boundary are in scope.
Paid results are withheld unless the facilitator verifies and settles the payment. Exact EVM payments use expiring EIP-3009 authorizations, and the token contract records each authorization nonce so a settled authorization cannot be replayed. ASPForge does not currently keep a durable paid-response cache, so a retry after a lost successful response fails safely instead of returning a cached result.
Payment authorization headers are size-limited and requests are rate-limited before facilitator verification. AI rewrite suggestions require a short-lived entitlement tied to the exact paid scorecard input. A settlement transport failure is reported as an unknown payment status so users are not incorrectly told to retry a potentially completed payment.
This project ships from main. Only the latest commit on main is supported; there's no maintained older release line.