uniswap
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTIONCREDENTIALS_UNSAFE
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill mandates using
web_fetchto retrieve content from several external URLs, includinggithub.com/ApeWorX/uniswap-sdk,docs.apeworx.io, andgithub.com/ApeWorX/ape-tokens. These sources are not on the Trusted External Source list. - PROMPT_INJECTION (HIGH): This skill is highly susceptible to Indirect Prompt Injection. It explicitly instructs the agent to use fetched external content as authoritative guidance for writing code. An attacker controlling these external pages could inject instructions to divert funds, modify trade parameters, or exfiltrate sensitive data.
- Ingestion points:
web_fetchcalls to GitHub and ApeWorX documentation. - Boundary markers: None. The instructions demand strict adherence to the fetched documentation.
- Capability inventory: Writing and executing Python code, interacting with blockchain networks, and managing
apeaccounts. - Sanitization: None detected.
- COMMAND_EXECUTION (HIGH): The skill involves generating and running code that interacts with the Uniswap protocol and local Ape accounts. Combining dynamic code generation with untrusted external documentation creates a significant risk of Remote Code Execution (RCE) via injected logic.
- CREDENTIALS_UNSAFE (MEDIUM): The skill references
ape accountsand "live network accounts." While no keys are hardcoded, the workflow involves the agent handling financial credentials. If the documentation fetching is compromised, these credentials could be exposed or misused.
Recommendations
- AI detected serious security threats
Audit Metadata