bridge
Cross-chain token transfers using Wormhole and CCTP
70
59%
Does it follow best practices?
Impact
Pending
No eval scenarios have been run
Advisory
Suggest reviewing before use
Optimize this skill with Tessl
npx tessl skill review --optimize ./src/skills/bundled/bridge/SKILL.mdSecurity
2 findings — 2 medium severity. This skill can be installed but you should review these findings before use.
W011: Third-party content exposure detected (indirect prompt injection risk)
What this means
The skill exposes the agent to untrusted, user-generated content from public third-party sources, creating a risk of indirect prompt injection. This includes browsing arbitrary URLs, reading social media posts or forum comments, and analyzing content from unknown websites.
Why it was flagged
Third-party content exposure detected (high risk: 0.80). This skill directly fetches and parses data from the public WormholeScan APIs in index.ts (the fetch calls in the "status" and "routes" handlers), and that untrusted third-party JSON is interpreted and used to drive status/route outputs which can materially influence follow-up actions like redeeming or initiating transfers.
W009: Direct money access capability detected (payment gateways, crypto, banking)
What this means
The skill is specifically designed for direct financial operations, giving the agent the ability to move money or execute financial transactions — such as payment processing, cryptocurrency operations, banking integrations, or market order execution.
Why it was flagged
Direct money access detected (high risk: 1.00). The skill explicitly implements cross-chain token transfer functionality (Wormhole and Circle CCTP). It includes concrete "send" and "redeem" commands and APIs that perform financial actions: e.g., "/bridge send 100 USDC sol to eth", executeWormholeBridge/executeCCTPBridge functions, and redeemCCTP/executeWormholeRedeem. The TypeScript API requires source/destination private keys and returns transaction hashes/VAA/message hashes, and the flow describes locking, burning, attestation, and minting of USDC. These are specific primitives to move value and manage token transfers (not generic helpers), so this skill grants direct financial execution capability.
- Repository
- alsk1992/CloddsBot
- Commit
2a8c94e
- Audited
- Security analysis
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.