start_swap
on https://chainflip-broker.io/mcp
Severity
1 finding on this tool
- highsecret exposuref-r10-start_swap
Tool `start_swap` exposes secrets or credentials to the agent
`start_swap` appears to read or return secrets, API keys, credentials, or environment variables (Start a cross-chain swap. Returns the deposit address where you should send your source asset. API key is optional.). Values surfaced in the model context are visible to any prompt with injection access; a compromised agent can relay them to an attacker-controlled server.
fix: Do not expose secrets to the agent: inject them server-side at call time rather than passing them through the model context. If a tool must return a credential, scope it with a capframe-bind time-limited caveat and log every issuance.
OWASP LLM06NIST MANAGE-2.2ATLAS T0040
About this tool
start_swap is one of 6 tools exposed by Chainflip Broker MCP. The server scored 80/100 overall against the capframe rule engine (source: http). Last scanned 2026-06-26.
The findings above are emitted by the public capframe.findings.v1 schema. Disagree with one? Open an issue.