1inch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill directly queries public 1inch endpoints (e.g., Fusion+ quoter/build/relayer URLs such as https://api.1inch.com/fusion-plus/... and the swap/quote endpoints in client.py/exports.py/fusion_tools.py) and consumes returned quote/typedData/transaction/extension payloads which are then interpreted, signed, and submitted by the agent—so third‑party API responses can materially influence tool actions.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

• Potentially malicious external URL detected (high risk: 0.80). The skill makes runtime calls to 1inch endpoints (e.g., https://api.1inch.com/fusion-plus) which return order/typedData and transaction payloads that the agent signs/submits, so remote responses directly determine agent actions and the skill requires these external APIs to operate.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly a crypto trading/infrastructure connector (1inch DEX aggregator) and exposes native write tools that perform on-chain financial actions: oneinch_swap, oneinch_fusion_swap (gasless execution), oneinch_cross_chain_swap, oneinch_sol_to_evm_swap (returns signed tx for broadcast), oneinch_create_limit_order, oneinch_cancel_limit_order, oneinch_approve, and instructions to broadcast via the platform wallet endpoint (/agent/transfer). These are specific crypto/payment transaction operations (signing/broadcasting swaps, approvals, limit orders, cross-chain transfers), not generic tools. Therefore it grants direct financial execution capability.