ckbtc
Pass
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill provides integration instructions and implementation examples for official Chain-Key Bitcoin (ckBTC) canisters. All referenced canister IDs, such as the Ledger (mxzaz-hqaaa-aaaar-qaada-cai) and Minter (mqygn-kiaaa-aaaar-qaadq-cai), match the trusted infrastructure maintained by the vendor 'dfinity'.\n- [SAFE]: Implements essential security controls by verifying callers using
Principal.isAnonymousin both Motoko and Rust. This ensures that only authenticated users can access their specific balances, deposit addresses, or initiate withdrawals.\n- [SAFE]: Follows standardized financial protocols for the Internet Computer ecosystem, specifically ICRC-1 for secure transfers and ICRC-2 for approved withdrawals, minimizing the risk of logic errors in fund management.\n- [SAFE]: External dependencies and tools, includingicp-cli(installed viadfinity/tap),mops, andic-cdk, are standard, well-known components from the trusted author 'dfinity'.\n- [SAFE]: Regarding indirect prompt injection (Category 8):\n - Ingestion points: The skill accepts Bitcoin addresses as strings and transaction amounts as numeric types in the withdrawal and transfer functions.\n
- Boundary markers: Data is processed through structured inter-canister calls using the Candid serialization format, which enforces strict data boundaries.\n
- Capability inventory: The skill enables the canister to perform ledger transfers, grant allowances, and request Bitcoin minting/burning.\n
- Sanitization: Input validation is performed by the Candid type system, and the implementation includes explicit caller authentication to prevent unauthorized capability usage.
Audit Metadata