@432/meta-dex-aggregator

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.90). The skill fetches live quotes and executable transaction data from multiple public third‑party APIs (e.g., ParaSwap apiv5.paraswap.io, Odos api.odos.xyz, CowSwap api.cow.fi, LI.FI li.quest, 0x api.0x.org, DefiLlama coins.llama.fi, DexScreener, and a public tokenlist on cloudfront) and the agent is expected to read and act on those responses (tx payloads, routes, and price data) to decide and execute swaps, so untrusted external content can directly influence tool calls and behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto DEX aggregator with built-in execution and tooling to move funds. It documents commands and tools that perform swaps and transfers: oneinch_swap, wallet_transfer (execute tx data), oneinch_cross_chain_swap, cowswap_poll_order (auto-poll until fulfilment), LI.FI routes with ready-to-sign tx data and execution via wallet_transfer, market-order flag for instant 1inch execution, and required wallet addresses/tx hashes and auto-verify flows. These are specific crypto transaction execution capabilities (wallet signing/transfer, swaps, cross-chain bridging, market orders), not generic APIs or browser automation. This fits the "Crypto/Blockchain (Wallets, Swaps, Signing)" and "Market Orders" items in the core rule, so it grants Direct Financial Execution Authority.