The Agent Skills Directory

[PROMPT_INJECTION] (HIGH): The skill is susceptible to Indirect Prompt Injection (Category 8) due to its capability to perform irreversible financial actions using external data. 1. Ingestion points: The skill accepts untrusted data for parameters such as 'receiver', 'amount', 'assetId', and 'note' (SKILL.md, lines 33, 41). 2. Boundary markers: No delimiters or instructions are present to prevent the agent from obeying instructions embedded in these fields. 3. Capability inventory: High-impact operations including 'payment', 'assetTransfer', and the highly sensitive 'rekeyTo' (which changes account control) are available in references/python/algorand-client.md and references/typescript/algorand-client.md. 4. Sanitization: There is no evidence of validation or escaping for these inputs.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill references '@algorandfoundation/algokit-utils' and 'algokit-utils'. These packages are not hosted within the specific organizations defined in the [TRUST-SCOPE-RULE].
[CREDENTIALS_UNSAFE] (LOW): The documentation files contain placeholder mnemonics ('abandon abandon...') and tokens ('aaaa...'). While these are for demonstration, they highlight the sensitivity of the data handled by the skill.

use-algokit-utils