The Agent Skills Directory

[COMMAND_EXECUTION]: The openBrowser function in pillar/pillar.ts uses child_process.exec to execute shell commands with string-interpolated URLs. Because the ref (referral) parameter from user arguments is included in the URL without sanitization, it is vulnerable to command injection if a maliciously crafted referral string (e.g., containing quotes and shell operators) is provided to the create-wallet command.
[CREDENTIALS_UNSAFE]: The signing key management in pillar/pillar-direct.ts derives the encryption password for local secp256k1 keys from the PILLAR_API_KEY environment variable. When this variable is not provided, the skill defaults to using a hardcoded string ('pillar-direct-default'), resulting in trivial protection for the user's private signing keys stored in ~/.aibtc/signing-keys/.
[DATA_EXFILTRATION]: The skill accesses sensitive local files, including private keys and session data, located in the user's home directory (~/.aibtc/). While this is part of its wallet management functionality, the exposure of these files is a high-risk factor, especially given the weak default encryption described above.
[PROMPT_INJECTION]: The skill processes untrusted external data such as BNS names, wallet names, and partner identifiers that could be manipulated to influence tool behavior.
Ingestion points: pillar/pillar-direct.ts and pillar/pillar.ts (subcommands: send, direct-send, dca-invite, direct-dca-invite).
Boundary markers: None present; inputs are interpolated directly into command arguments and API payloads.
Capability inventory: Subprocess execution via openBrowser, file system access for session/key storage, and network communication via the Pillar API.
Sanitization: No sanitization or validation of the structure of resolved names, referral codes, or email addresses was observed before processing.

pillar