1inch-mcp-server

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's tools (notably "search" with include_body and "get_example" in references/TOOLS.md and the SKILL.md tool list) fetch and return full text of public 1inch documentation and example source files from the 1inch public portal/production endpoint (https://api.1inch.com/mcp/protocol and business.1inch.com), which the agent is expected to read and use to drive swaps and API actions and thus could allow indirect instruction injection.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.70). The skill requires a runtime connection to the MCP server at https://api.1inch.com/mcp/protocol which exposes tools (e.g., get_example, search) that return documentation and example source code that can be injected into the agent context (directly influencing prompts/behavior), and the docs also recommend running "npx -y supergateway …" which fetches and executes remote code locally.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill explicitly exposes authenticated tools for crypto financial actions: a "swap" tool for quotes and swap execution flows and an "orderbook" tool to build/create/list/cancel limit orders, plus authenticated "product_api" access. It also documents API key/OAuth auth patterns and gives example prompts like "Quote swapping 100 USDC to ETH" and notes execution requires auth. These are specific, purpose-built DeFi/crypto transaction capabilities (not generic HTTP or browser automation), so it provides direct financial execution authority.