1Shot API — agentic threat model
1Shot API presents a high-risk profile due to its capability to execute autonomous onchain transactions, manage wallets, and interact with EVM smart contracts, where prompt injection or tool misuse can lead to direct, irreversible financial loss.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.50 | |
| Self-Modification | 0.10 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.30 | |
| Contextual Awareness | 0.60 | |
| Dynamic Identity | 0.80 | |
| Multi-Agent Interactions | 0.40 | |
| Non-Determinism | 0.50 | |
| Opacity & Reflexivity | 0.50 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — The listing mentions '1Shot Prompts' for AI reasoning but does not specify the underlying LLMs used. Threats include prompt injection leading to unauthorized transaction generation or misinterpretation of contract methods.
Not certain from the listing — No explicit database or vector store details are provided, though it tracks smart contract ABIs and schemas. Risks include poisoning of the annotated contract prompts database, leading to malicious contract interactions.
The framework orchestrates transactions, batches calls, and integrates with n8n/Make/IFTTT. Threats include tool misuse where an LLM is tricked into calling a destructive smart contract function (e.g., transfer or self-destruct) due to flawed prompt annotations.
Not certain from the listing — Hosted as a closed-source API with managed wallets. Threats include compromise of the managed wallet infrastructure, private key leakage, or unauthorized access to the transaction orchestration backend.
Provides webhooks when transactions are finalized and gas estimation. However, there is no mention of real-time transaction guardrails, anomaly detection for anomalous transfer volumes, or LLM output sanitization.
Uses MetaMask Delegation Framework and managed wallets for access control. However, being closed-source and handling direct financial transactions without explicit mention of SOC2, smart contract audits, or rigorous KYC/AML compliance presents significant compliance risks.
Designed to turn smart contracts into tools for external 'AI-driven systems' and workflow platforms (n8n, Make). This creates a high risk of cascading failures where a compromised upstream agent triggers unauthorized onchain transactions through 1Shot API.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).
These scores are auto-generated from public information (the agent's own listing, docs, and repository) using the canonical OWASP AIVSS formula and the MAESTRO framework — an estimate for guidance, not a penetration test, audit, or certification. See the scoring methodology. Are you the vendor? Factual corrections are free.