chainlink-ccip-skill

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

• Third-party content exposure detected (high risk: 0.70). The skill's Documentation Access and multiple workflow files (e.g., Documentation Access, references/ccip-discovery.md and references/official-sources.md) require the agent to fetch and use live public web content (e.g., https://docs.chain.link/ccip, the CCIP Directory pages, https://ccip.chain.link/ and related GitHub repos) to determine routes, token support, and other live facts that materially influence tool selection and on-chain decisions, exposing the agent to third‑party public content that could carry indirect prompt injection.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

• Direct money access detected (high risk: 1.00). The skill is explicitly built for crypto financial operations: it handles cross-chain token transfers, bridging funds, sending CCIP messages, creating/registering tokens and CCT lanes, and routes calls to a specific MCP tool (ccip_sdk) or SDK/CLI for programmatic transfers. Those are direct blockchain/crypto transaction capabilities (wallet/transfer/bridge/send), even though guardrails require confirmations. This is a specific financial execution capability, not a generic tool.