Skills
skills/orbiter-finance/bridge-skills/orbiter-tx-broadcast/Snyk

orbiter-tx-broadcast

Fail

Audited by Snyk on Mar 11, 2026

Risk Level: HIGH
Full Analysis

HIGH W007: Insecure credential handling detected in skill instructions.

  • Insecure credential handling detected (high risk: 1.00). The skill requires embedding the user's signed transaction value verbatim into an eth_sendRawTransaction request (a sensitive, user-provided value that the model would need to output), creating an exfiltration risk.

MEDIUM W009: Direct money access capability detected (payment gateways, crypto, banking).

  • Direct money access detected (high risk: 1.00). The skill is explicitly designed to broadcast signed Ethereum transactions via the JSON-RPC eth_sendRawTransaction method. Inputs include a signedTx (and rpc/chain selection) and it returns a txHash. Broadcasting a signed transaction is a specific blockchain action that submits on-chain transfers/operations (i.e., can move funds or execute contracts), not a generic tool. Therefore it grants direct financial execution capability.

Issues (2)

W007
HIGH

Insecure credential handling detected in skill instructions.

W009
MEDIUM

Direct money access capability detected (payment gateways, crypto, banking).

Audit Metadata
Risk Level
HIGH
Analyzed
Mar 11, 2026, 04:29 PM
Issues
2