Relay

Warn

Audited by Snyk on May 28, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (medium risk: 0.65). The skill’s runtime LLM context can be influenced by outsider-authored free text returned by the Relay API (e.g., api.relay.link/quote and api.relay.link/intents/status), which the plugin parses and prints as JSON fields like error, message, and step descriptions—these strings can contain attacker-controlled content that may be ingested by the agent’s LLM when the user/agent relays the output.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).


MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to move money: it implements a cross-chain crypto bridge that sends ETH and ERC-20 tokens (USDC, USDT, DAI). It requires an EVM wallet, describes approval and deposit transactions, and provides an explicit execute command (relay-plugin bridge ... --confirm) that broadcasts on-chain transactions. These are direct crypto transaction/payment capabilities, not generic tooling.

Issues (3)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
May 28, 2026, 11:03 AM
Issues
3
Security Audit — snyk — Relay