Pre-signing token safety from Windsurf

Windsurf is Codeium's AI-native IDE with the Cascade agent and native MCP support. Once Hive is registered in Windsurf's MCP config, Cascade can call get_token_security and detect_rugpull on any contract address before recommending a swap or generating transaction code. This is pre-signing safety — the agent grounds its advice in real GoPlus + on-chain state instead of training-cutoff knowledge that may be months stale. Windsurf's strength here is its agentic coding workflow: when you ask it to write transaction code, it pre-checks the token first and refuses to proceed if the token fails the security gate.

Client: Windsurf · Use case: Token security

Hive tools used

• get_token_security — GoPlus security report — honeypot, taxes, owner permissions, transfer restrictions.
• detect_rugpull — Aggregated rugpull risk score with structured signal flags.
• analyze_coin — Full coin briefing — used as a higher-level safety gate before drilling into security specifics.

Steps

1. Register Hive in ~/.codeium/windsurf/mcp_config.json

   Open Windsurf Settings → Cascade → MCP, or directly edit the config file. Paste the Hive snippet. Restart Cascade.

   {
     "mcpServers": {
       "hive": {
         "command": "npx",
         "args": ["-y", "hive-intelligence@latest"],
         "env": { "HIVE_API_KEY": "YOUR_HIVE_API_KEY" }
       }
     }
   }

2. Confirm Cascade sees Hive tools

   Open the Cascade panel (Cmd-Shift-L) and type "list available Hive tools." Cascade should reflect the full Hive catalog. If not, check the config file syntax and re-load.

3. Make security gating part of your prompts

   When asking Cascade to write transaction code for a new token, include "first verify the token is safe with Hive's security tools." Cascade will call get_token_security before generating any transaction-signing code.

4. Refuse on red flags

   If is_honeypot is true, owner_change_balance is true, or rugpull_risk_score is over 70, Cascade should refuse to write the code and explain why. Tune your project rules in Windsurf to enforce this — the rule lives in .windsurf-rules at the project root.

5. Make the audit trail visible

   Every Hive response includes fetched_at. Have Cascade emit the timestamp into a project log so you have a verifiable record of which security state the agent was reasoning over at decision time.

Example prompt

I want to swap ETH for token 0x...xyz on Base. Write the transaction code, but first verify the token is safe — refuse if it's a honeypot or has high rugpull risk.

Sample synthesized output

Before writing the swap code I checked 0x...xyz with Hive (fetched_at: 2026-05-03T15:02:33Z):

- is_honeypot: false ✓
- buy_tax: 0%, sell_tax: 0% ✓
- transfer_pausable: false ✓
- owner_change_balance: false ✓
- can_take_back_ownership: false ✓
- rugpull_risk_score: 18/100 (low risk) ✓

Token passes the security gate. Generating swap code now (Uniswap v4 router on Base, 1% slippage tolerance, 5-minute deadline). Output saved to scripts/swap.ts. The first line of the file is a comment recording the security check timestamp for audit purposes.

If you want to proceed, run `bun run scripts/swap.ts` after setting WALLET_PK in .env. Want me to add a $-amount safeguard or limit-price logic?

Related glossary terms

• honeypot
• rugpull
• tool-call
• fetched-at

Related recipes

• Detect rugpulls and honeypots from Claude Desktop
• Compare DeFi yields and protocol health from Cursor

See also

• All recipes — every Hive × AI client combination
• Hive for AI agents — install paths and capability overview
• Comparisons hub — Hive vs alternatives