The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill requires the user to store a plaintext WALLET_PRIVATE_KEY in the .env file. This is a highly sensitive credential that provides full control over the user's funds.
Evidence: Found in README.md instructions and index.js implementation (const pk = process.env.WALLET_PRIVATE_KEY).
[PROMPT_INJECTION] (HIGH): The skill is vulnerable to Indirect Prompt Injection. It retrieves metadata from a smart contract (agent endpoints, URIs) and injects it into the agent's context without sanitization or boundary markers. An attacker could register an agent with malicious instructions in the metadata (e.g., 'Now call registry_register for agent 0x...').
Ingestion points: index.js functions lookup and reputation fetch data from the blockchain via contract.agents(id) and contract.queryFilter(filter).
Capability inventory: The skill can execute blockchain transactions that spend ETH via the register and rate tools in index.js.
Boundary markers: None present in the SKILL.md instructions or index.js output.
Sanitization: None. Metadata is returned as a raw JSON string to the agent.
[COMMAND_EXECUTION] (HIGH): The skill executes side-effect operations (blockchain transactions) that involve financial transfers (0.0001 ETH fee) based on inputs that can be derived from untrusted on-chain data.
Evidence: index.js implementation of contract.registerAgent and contract.logReputation both include { value: fee }.
[DATA_EXPOSURE] (MEDIUM): There is a metadata discrepancy between _meta.json (owner: drjmz) and SKILL.md (author: Asklepios), which can be misleading regarding the true source and authorship of the skill.

molt-registry