The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts scripts/get-agent.sh and scripts/register.sh use a dangerous pattern of executing dynamically generated JavaScript via node -e. Shell variables containing data retrieved from external, untrusted sources—such as Ethereum RPC responses and Pinata IPFS gateway outputs—are interpolated directly into the JavaScript code strings without any sanitization or escaping. This allows for command injection if an external source returns a payload containing character sequences that escape the JavaScript string context.
[REMOTE_CODE_EXECUTION]: The vulnerability in the Node.js execution flow allows for potential remote code execution, as the malicious payload can be delivered from the blockchain (via a crafted agent registry entry) or a compromised RPC provider and executed on the host system running the agent skill.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection in the scripts/get-agent.sh script. The script identifies a URI from an on-chain registry and performs a network request to fetch the content at that URI (IPFS or HTTP). This content is then output and processed by the agent without validation. Ingestion points: scripts/get-agent.sh (line 73, network request to $URI). Boundary markers: No delimiters or instructions to ignore embedded commands are present. Capability inventory: The skill has the capability to submit on-chain transactions and bridge ETH using the bankr tool, and perform additional network operations via curl. Sanitization: No sanitization, filtering, or validation is performed on the data fetched from the external URI.

erc-8004