1inch

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.80). The skill explicitly calls the public 1inch APIs (see client.py using https://api.1inch.com/swap/v6.1 and fusion_client.py using https://api.1inch.com/fusion-plus) and directly consumes returned JSON (tokens, quotes, tx data, typedData, quote/order responses) which the agent then reads and uses to build, sign, submit, and poll transactions—so third-party responses can materially change tool behavior.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly designed to perform cryptocurrency financial operations. It provides write tools that execute token approvals and swaps (oneinch_approve, oneinch_swap) and cross-chain swap execution (oneinch_cross_chain_swap), all of which move funds on-chain and require an active wallet policy and signing. This is not a generic API or browser automation tool — its primary, explicit purpose is executing crypto transactions via the 1inch DEX aggregator. Therefore it grants direct financial execution capability.