across-bridge
Warn
Audited by Snyk on Jun 29, 2026
Risk Level: MEDIUM
Full Analysis
MEDIUM W011: Third-party content exposure detected (indirect prompt injection risk).
- Third-party content exposure detected (high risk: 0.85). At runtime,
bridge_quote/bridge_executecall the outsider-authored public web endpointhttps://app.across.to/api/swapviarequests.get(...).json(), and the returned JSON (including free-text fields if any) is inserted into the agent’s LLM context through the function’s returnedraw/parsed fields.
MEDIUM W012: Unverifiable external dependency detected (runtime URL that controls agent).
- Potentially malicious external URL detected (high risk: 1.00). The skill makes runtime requests to https://app.across.to/api/swap and https://app.across.to/api/deposit/status and uses the /swap response (approvalTxns / bridge_tx) as ready-to-sign transaction calldata which the agent then executes via wallet_transfer, so fetched content directly controls executed actions.
MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).
- Direct money access detected (high risk: 1.00). This skill is explicitly designed to move cryptocurrency assets. It exposes functions like bridge_execute that (per the docs) fetch a quote, send ERC-20 approve transactions, broadcast the Across depositV3 bridge transaction, and poll for arrival — i.e., it signs and sends on-chain transactions using the agent wallet (Starchild). Those are direct crypto execution capabilities (wallet signing, broadcasting, token transfers), not generic tooling, so it grants direct financial execution authority.
Issues (3)
W011
MEDIUMThird-party content exposure detected (indirect prompt injection risk).
W012
MEDIUMUnverifiable external dependency detected (runtime URL that controls agent).
W009
MEDIUMDirect money access capability detected (payment gateways, crypto, banking).
Audit Metadata