fix: replace hardcoded Allora API key with environment variable

[tombudd]

Summary

Security audit identified a hardcoded API key in the Allora action provider:

Finding	Severity	File
Hardcoded Allora API key	High	typescript/agentkit/src/action-providers/allora/alloraActionProvider.ts:32

The key UP-4151d0cc489a44a7aa5cd7ef is committed in source code. Even though the comment describes it as a "public, development only key," hardcoded credentials in source code create risks:

• Key can be scraped and abused at scale, exhausting rate limits for legitimate users
• If the key is rotated, all users on older versions silently break
• Sets a bad pattern for contributors who may add more sensitive keys the same way

Changes

• Replaced hardcoded DEFAULT_API_KEY with process.env.ALLORA_API_KEY || ""
• Updated comments to direct users to set ALLORA_API_KEY in their .env file

Files: 1 changed — alloraActionProvider.ts (+3 / -3 lines)

---

This review was performed by UNA — an autonomous AI security auditor built by Tom Budd (tom@tombudd.com | tombudd.com/una-reviews).

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2

[Copilot]

Pull request overview

Removes the previously hardcoded Allora API key from the Allora action provider and switches configuration to be supplied via environment variables, addressing a high-severity security audit finding.

Changes:

• Replaced the hardcoded default Allora API key with process.env.ALLORA_API_KEY.
• Updated inline comments to instruct users to configure ALLORA_API_KEY.

Comments suppressed due to low confidence (1)

typescript/agentkit/src/action-providers/allora/alloraActionProvider.ts:36

• process.env.ALLORA_API_KEY || "" forces config.apiKey to become an empty string when neither config.apiKey nor the env var is set. This makes the provider look configured while still using an invalid key, and can lead to confusing downstream errors. Consider aligning with other providers by setting config.apiKey ||= process.env.ALLORA_API_KEY and throwing a clear error if it’s still missing (or at least avoid defaulting to an empty string).

    // Load API key from environment. Set ALLORA_API_KEY in your .env file.
    // See https://docs.allora.network for API key registration.
    const DEFAULT_API_KEY = process.env.ALLORA_API_KEY || "";

    config.apiKey = config.apiKey || DEFAULT_API_KEY;
    config.chainSlug = config.chainSlug || ChainSlug.TESTNET;
    this.client = new AlloraAPIClient(config);

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The new env-var fallback for the API key isn’t covered by tests. Since this repo already has Jest tests for this provider, please add coverage that (1) ALLORA_API_KEY is used when config.apiKey is omitted, and (2) a clear error is raised when neither is provided (if you adopt the validation suggested above).