chainlink-ccip-skill
Fail
Audited by Gen Agent Trust Hub on May 17, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATION
Full Analysis
- [CREDENTIALS_UNSAFE]: The documentation in 'references/ccip-non-evm.md' references sensitive local file paths for Solana private keys, such as '
/.config/solana/id.json' and '/.config/solana/devnet.json'. Since the agent has file-system access via the 'Read' tool, exposing these default credential locations creates a direct risk of key compromise. - [COMMAND_EXECUTION]: The skill relies on the 'Bash' tool and the 'ccip-cli' utility to execute complex on-chain actions like token transfers and contract deployments. This allows the agent to perform operations with significant financial and state consequences on blockchains.
- [EXTERNAL_DOWNLOADS]: The skill fetches documentation, configuration, and software from official vendor domains ('docs.chain.link') and verified 'smartcontractkit' GitHub repositories. These operations target well-known services associated with the skill's primary functionality.
- [DATA_EXFILTRATION]: The skill processes untrusted external data via 'WebFetch' and on-chain responses through the 'ccip_sdk' MCP tool. While the skill implements an 'Approval Protocol' and 'Second Confirmation Rule' to mitigate risks, the combination of network access, file system visibility, and sensitive credential paths provides a surface for potential data exfiltration. Evidence chain:
- Ingestion points: 'WebFetch' for documentation and 'ccip_sdk' MCP for on-chain data.
- Boundary markers: Mandatory preflight summaries and double-confirmation for all on-chain actions.
- Capability inventory: 'Bash', 'Write', 'Edit', and MCP-based blockchain interaction.
- Sanitization: Relies on human-in-the-loop review of preflight summaries rather than automated sanitization of external data.
Recommendations
- AI detected serious security threats
Audit Metadata