feat(fixtures): refresh web3 router fixtures from upstream, add 6 new routers#23
Open
Markeljan wants to merge 1 commit into
Open
feat(fixtures): refresh web3 router fixtures from upstream, add 6 new routers#23Markeljan wants to merge 1 commit into
Markeljan wants to merge 1 commit into
Conversation
… routers
Sync every fixture under e2e/fixtures/profiles/web3/ to its actual public
upstream so the AST-10 Web3 Annex comparison reflects what `npx skills add`
installs rather than curated mocks.
Existing fixtures refreshed from upstream (2026-05-22):
- odos-swap ← odos-xyz/odos-skills@main (full repo layout)
- 1inch-swap ← Starchild-ai-agent/official-skills 2.2.1
- kyberswap-swap ← KyberNetwork/kyberswap-skills swap-execute + references/
- 0x-swap ← 0xProject/0x-ai (replaces unofficial 0xterrybit fixture)
New fixtures (top EVM routers/aggregators/bridges with public skills):
- uniswap-swap ← Uniswap/uniswap-ai swap-integration
- pancakeswap-swap ← pancakeswap/pancakeswap-ai swap-integration
- lifi-swap ← lifinance/lifi-agent-skills li-fi-api
- across-swap ← across-protocol/skills swap
- sushiswap-swap ← sushi-labs/agent-skills sushiswap-api
- debridge-swap ← debridge-finance/debridge-skills swap
cowswap-swap retained as the only mock — no upstream agent skill exists.
Cleanup of stale leftovers from the prior fixture iteration:
- removed adversarial src/ shell scripts that injected `$PRIVATE_KEY` and
hardcoded ERC-20 addresses, distorting AST05 audits
- removed orphan SKILL.fast.md (upstream ships fast as a separate skill)
- removed curated skill.json files so SKILL.md frontmatter is the canonical
manifest — matches `bunx agentsec` output on installed skills
Comparison runner extended to 11 skills (scripts/run-web3-comparison.ts +
e2e/fixtures/profiles/web3/index.json). Regenerated report.{md,html,json}
and scores.csv. New scoreboard: Odos 88 B (matches installed audit
exactly), SushiSwap 71 C, CowSwap 70 C, mid-tier 45-49 D, 1inch 29 F (134
findings from script-first community fork).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
e2e/fixtures/profiles/web3/to its actual public upstream so the AST-10 Web3 Annex comparison reflects whatnpx skills addinstalls rather than curated mocks.src/shell scripts, orphanSKILL.fast.md, and curatedskill.jsonfiles that were distorting audit scores away from whatbunx agentsecreports on installed skills.Scoreboard (11 skills,
--profile web3)Odos's score now matches
bunx agentsec@lateston the installed skill exactly (88 B) — confirms the fixture is a faithful mirror, not a curated mock.Notable audit signals (outreach hooks)
allowedContractsallowlist; Odos solved this with one block of frontmatter.swap-execute-fastadvertises "DANGEROUS - no confirmation before sending real transactions" in its description; the scanner flags 3× AST-W01 high signing-authority findings on exactly that code path.li-fi-apiSKILL.md has nolicenseorversionfield, and its upstream Snyk audit failed.licensedeclared (AST04 medium each).skills/swap/SKILL.mdhas zero YAML frontmatter — pure markdown body, last touched Feb 2026.Routers without any public skill (outreach candidates)
Curve, Bebop, Rango, Socket/Bungee, Jumper, Aerodrome, DODO, Maverick, Velora (ex-Paraswap). Squid and Symbiosis ship MCP servers only — recommend publishing a complementary SKILL.md.
What changed in each fixture
odos-swap1inch-swapscripts/(12 Python files), removed stalesrc/+skill.jsonkyberswap-swapsrc/+SKILL.fast.md+skill.json, added upstreamreferences/0x-swap0xterrybitfixture with official0xProject/0x-ai, removed stalesrc/+skill.jsoncowswap-swapuniswap-swapreferences/advanced-patterns.mdpancakeswap-swaplifi-swapreferences/REFERENCE.mdacross-swapsushiswap-swapreferences/OPENAPI.md+openapi.yamldebridge-swapmonitoring.md+preflight.mdsiblingsTest plan
bun run compare:web3runs cleanly on all 11 fixturesexamples/comparison/web3-routers/{report.md,report.html,report.json,scores.csv}regeneratedbunx agentsec@latestoutput on the installed~/.agents/skills/odos/live-version-npm's STOR-004 false-positive fix (9836f87) once that merges to main — would reduce 1inch findings 134 → 133🤖 Generated with Claude Code