Every DEX router skill,
audited under the annex.
We extended OWASP AST10 with 12 chain-specific rules — signing authority, Permit2 capture, blind signing, RPC pinning, kill-switch, MCP drift, oracle manipulation, key material leaks — and ran them against every public DEX router agent skill we could find. Same audit, same coverage, side by side.
11 skills,
ranked.
Every public DEX router agent skill we could find, audited with --profile web3 forced on so coverage is identical across rows. Click through to each upstream repository on GitHub.
| # | Skill | Score | Grade | Findings | Source |
|---|---|---|---|---|---|
| 1 | Odosreference | 88 | B | 4 | github → |
| 2 | SushiSwap | 71 | C | 5 | github → |
| 3 | CowSwap | 70 | C | 4 | — |
| 4 | KyberSwap | 49 | D | 29 | github → |
| 4 | Uniswap | 49 | D | 12 | github → |
| 4 | PancakeSwap | 49 | D | 13 | github → |
| 4 | Across | 49 | D | 8 | github → |
| 4 | deBridge | 49 | D | 9 | github → |
| 9 | 0x | 48 | D | 9 | github → |
| 10 | LI.FI | 45 | D | 8 | github → |
| 11 | 1inch | 26 | F | 136 | github → |
--profile web3View full rule matrix →12 chain-specific
rules.
The base OWASP AST10 covers generic skill risks — prompt injection, supply chain, over-privilege. The Web3 Annex extends it with rules that apply to any skill that holds keys, signs typed data, calls smart contracts, bridges assets, or exposes chain capabilities through MCP.
Unbounded Signing Authority
Skills that sign arbitrary transactions without per-action caps or allowlisted contracts.
Permit / Permit2 Signature Capture
EIP-712 Permit2 payloads signed without verifying the spender against a vetted allowlist.
Delegation Hijack via EIP-7702
SetCodeAuthorizations constructed without delegate allowlists or expiry checks.
Blind / Opaque Signing Surface
Typed data shown to the user that doesn't match what's actually being signed.
RPC Endpoint Substitution
Hardcoded RPC URLs or no protection against unprotected mempool exposure.
Unverified Contract Call Targets
Calldata constructed from model output without bytecode-hash or address pinning.
Cross-Chain / Bridge Action Replay
Bridge calls without idempotency keys or destination allowlists.
MCP Chain-Tool Drift
Pinned MCP servers without hash verification or tool-schema diffing on update.
Session-Key Caveat Erosion
ERC-7715 session keys missing expiry, valueLimit, or target restrictions.
Slippage / Oracle Manipulation
Swap or oracle queries without TWAP, deadline ceiling, or slippage caps.
Key Material in Agent Memory
Hex-format private keys or mnemonics flowing into log sinks or tool outputs.
No On-Chain Action Audit / Kill-Switch
No declared audit sink or kill-switch contract for incident response.
Audit your skill in 5 seconds.
The same command we ran on every router above — auto-detects web3 skills and applies the annex on top of OWASP AST10. JSON, HTML, and SARIF outputs ship out of the box.