circle-cctp
Warn
Audited by Snyk on Jun 19, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 0.90). The skill makes runtime fetch calls to Circle's Iris APIs (https://iris-api.circle.com and https://iris-api-sandbox.circle.com) to retrieve attestation bytes/messages that are then used to drive contract calls (e.g., receiveMessage) — a required external runtime dependency that directly controls what the agent executes.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). The skill is explicitly designed to move money on-chain: it documents USDC burn-and-mint cross-chain transfers, includes contract-level functions (TokenMessengerV2.depositForBurn, MessageTransmitterV2.receiveMessage), integration steps (approve USDC, call depositForBurn, call receiveMessage), Iris API endpoints for attestations/fees/allowance, fee calculation, and a Bridge Kit SDK with an explicit kit.bridge(...) "Execute bridge" call. These are concrete crypto transfer APIs and operations (wallets/contracts/attestations) that enable sending/value movement, not generic tooling.
Issues (2)
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata