feat: added a cli tool and docs for use in editing the files

[blurpesec]

This pull request introduces a new CLI tool for managing contract metadata and icons according to the CAIP-19 standard. The tool provides commands to add, update, verify, and list assets, and includes thorough documentation and workflow instructions. The changes also add supporting dependencies and update project scripts to make the CLI easily accessible.

CLI Tool Introduction and Documentation

• Added comprehensive instructions and usage examples for the new CLI tool in .github/copilot-instructions.md, CLAUDE.md, and README.md, detailing commands for adding, updating, verifying, and listing CAIP-19 assets, as well as workflow and file structure notes. [1] [2]

Project Scripts and Dependencies

• Updated package.json to add scripts for running the CLI tool (asset, asset:set, asset:verify, asset:list) and included the zod dependency for input validation. [1] [2]

---

Note

Medium Risk
Adds a new Node CLI that writes/updates metadata, icons, and labels on disk (including downloading remote images), so incorrect usage or edge cases could modify repo assets unexpectedly. Runtime/library consumers are largely unaffected since changes are mainly tooling, docs, and dev dependencies.

Overview
Adds a new cli-update-asset.js CLI to set/update assets, verify metadata+icon consistency, and list assets by namespace, including validation (Zod), optional label file management, and support for local files or downloaded image URLs.

Updates package.json to expose npm run asset:* commands, adds zod, and extends tests with coverage for parseLabels. Documentation is expanded in README.md and new AI instruction pointer files (.cursorrules, CLAUDE.md, .github/copilot-instructions.md) describing the new workflow.

^{Written by Cursor Bugbot for commit f77a730. This will update automatically on new commits. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	zod@​4.3.6

View full report

[socket-security]

Warning

MetaMask internal reviewing guidelines:

• Do not ignore-all
• Each alert has instructions on how to review if you don't know what it means. If lost, ask your Security Liaison or the supply-chain group
• Copy-paste ignore lines for specific packages or a group of one kind with a note on what research you did to deem it safe.
  @SocketSecurity ignore npm/PACKAGE@VERSION

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Medium CVE: npm bn.js affected by an infinite loop CVE: GHSA-378v-28hj-76wf bn.js affected by an infinite loop (MODERATE) Affected versions: < 4.12.3; >= 5.0.0 < 5.2.3 Patched version: 4.12.3 From: ? → npm/ethereumjs-util@5.2.1 → npm/bn.js@4.12.2 ℹ Read more on: This package | This alert | What is a medium CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Remove or replace dependencies that include known medium severity CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/bn.js@4.12.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm get-intrinsic is 100.0% likely to have a medium risk anomaly Notes: The GetIntrinsic module is a conventional intrinsic resolver designed for sandboxed JavaScript environments. It includes careful validation, alias handling, and selective dynamic evaluation for specific intrinsics. While there is a real potential risk from Function-based evaluation if exposed to untrusted input, in this isolated code path there is no evidence of data leakage, backdoors, or external communications. The component is acceptable with proper sandbox boundaries; the most important mitigations are ensuring inputs are trusted and that dynamic evaluation cannot be triggered by untrusted sources. Confidence: 1.00 Severity: 0.60 From: ? → npm/ethereumjs-util@5.2.1 → npm/tape@4.17.0 → npm/get-intrinsic@1.3.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/get-intrinsic@1.3.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm zod is 100.0% likely to have a medium risk anomaly Notes: No explicit network exfiltration, reverse shell, or credential theft is present in this fragment. However, the code assembles and compiles arbitrary code via the Function constructor and invokes passed-in functions immediately (twice). That behavior constitutes a strong dangerous primitive (arbitrary code execution) which can be abused if any inputs (strings or args) are attacker-controlled. Treat this module as risky in threat models where inputs are not fully trusted; review call sites and sanitize/validate inputs or avoid dynamic evaluation. Confidence: 1.00 Severity: 0.60 From: package.json → npm/zod@4.3.6 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/zod@4.3.6. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

^{Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, have a team admin enable autofix in the Cursor dashboard.}