aggregator-hook-creator
Warn
Audited by Gen Agent Trust Hub on Feb 19, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION] (MEDIUM): The GenericAggregatorHook implementation in references/implementations.md utilizes abi.decode and low-level .call() to perform arbitrary contract calls based on hookData provided during a swap. While limited by an allowedTargets check, this design allows any function on a whitelisted contract to be invoked with any parameters, potentially leading to unintended interactions if target contracts are complex.
- [EXTERNAL_DOWNLOADS] (MEDIUM): The skill requests Bash(curl:), Bash(npm:), and Bash(npx:*) permissions in SKILL.md. Since the author 'uniswap' is not in the pre-approved trusted organization list, these capabilities are flagged as medium risk due to their potential use in fetching and executing untrusted scripts or exfiltrating data.
- [PROMPT_INJECTION] (LOW): The skill is susceptible to Indirect Prompt Injection (Category 8) because the proposed architecture processes untrusted external data (hookData) to drive execution logic. Evidence Chain: 1. Ingestion point: hookData parameter in beforeSwap function. 2. Boundary markers: Absent in the implementation. 3. Capability inventory: Low-level EVM .call() allows state-changing interactions. 4. Sanitization: Limited to an address-based allowedTargets whitelist.
Audit Metadata