across-bridge

Warn

Audited by Snyk on Jun 29, 2026

Risk Level: MEDIUM
Full Analysis

MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).

  • Third-party content exposure detected (high risk: 0.85). At runtime, bridge_quote/bridge_execute call the outsider-authored public web endpoint https://app.across.to/api/swap via requests.get(...).json(), and the returned JSON (including free-text fields if any) is inserted into the agent’s LLM context through the function’s returned raw/parsed fields.

MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).

  • Potentially malicious external URL detected (high risk: 1.00). The skill makes runtime requests to https://app.across.to/api/swap and https://app.across.to/api/deposit/status and uses the /swap response (approvalTxns / bridge_tx) as ready-to-sign transaction calldata which the agent then executes via wallet_transfer, so fetched content directly controls executed actions.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). This skill is explicitly designed to move cryptocurrency assets. It exposes functions like bridge_execute that (per the docs) fetch a quote, send ERC-20 approve transactions, broadcast the Across depositV3 bridge transaction, and poll for arrival — i.e., it signs and sends on-chain transactions using the agent wallet (Starchild). Those are direct crypto execution capabilities (wallet signing, broadcasting, token transfers), not generic tooling, so it grants direct financial execution authority.

Issues (3)

W011
MEDIUM

Third-party content exposure detected (indirect prompt injection risk).

W012
MEDIUM

Unverifiable external dependency detected (runtime URL that controls agent).

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
MEDIUM
Analyzed
Jun 29, 2026, 07:00 AM
Issues
3
Security Audit — snyk — across-bridge