The Agent Skills Directory

EXTERNAL_DOWNLOADS (MEDIUM): The skill instructs the user to install the x402-avm package via pip from an untrusted source. The GitHub organization GoPlausible is not on the trusted list.
PROMPT_INJECTION (MEDIUM): The skill contains an indirect prompt injection surface (Category 8).
Ingestion points: The extract_discovery_info function in SKILL.md (Step 5) ingests payment_payload and payment_requirements from untrusted external resource servers.
Boundary markers: The code uses a validate=True flag, but does not implement explicit delimiters to prevent malicious instructions from being interpreted as data during cataloging.
Capability inventory: The facilitator side builds API catalogs and prints descriptions. While no immediate RCE is shown, the aggregated data can influence downstream agent decisions or user behavior.
Sanitization: Uses jsonschema for structural validation, which prevents schema confusion but does not filter for natural language instructions embedded in fields like 'description'.

create-python-x402-facilitator-bazaar