circle-cctp

Warn

Audited by Snyk on Jun 19, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime fetch calls to Circle's Iris APIs (https://iris-api.circle.com and https://iris-api-sandbox.circle.com) to retrieve attestation bytes/messages that are then used to drive contract calls (e.g., receiveMessage) — a required external runtime dependency that directly controls what the agent executes.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to move money on-chain: it documents USDC burn-and-mint cross-chain transfers, includes contract-level functions (TokenMessengerV2.depositForBurn, MessageTransmitterV2.receiveMessage), integration steps (approve USDC, call depositForBurn, call receiveMessage), Iris API endpoints for attestations/fees/allowance, fee calculation, and a Bridge Kit SDK with an explicit kit.bridge(...) "Execute bridge" call. These are concrete crypto transfer APIs and operations (wallets/contracts/attestations) that enable sending/value movement, not generic tooling.

Issues (2)

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 19, 2026, 02:54 PM
Issues
2
Security Audit — snyk — circle-cctp