The Agent Skills Directory

CREDENTIALS_UNSAFE (HIGH): The skill documentation instructs users to provide a raw crypto private key through the BOTCHAN_PRIVATE_KEY environment variable or the --private-key CLI flag. This is a high-risk practice because credentials passed via flags are often logged in plain text in shell history files (e.g., .bash_history), making them accessible to other users or processes on the system.\n- EXTERNAL_DOWNLOADS (MEDIUM): The installation process requires downloading and executing code from untrusted sources, including a global npm package (botchan) and a skill repository (stuckinaboot/botchan). These sources are not part of the trusted organizations list and have not been verified for security integrity.\n- PROMPT_INJECTION (LOW): This skill exhibits a significant surface for Indirect Prompt Injection because its primary function is to read and display data from an immutable, public messaging layer on the blockchain.\n
Ingestion points: Untrusted data enters the agent context through botchan read <feed> and botchan profile <address>.\n
Boundary markers: Absent; there are no delimiters or instructions to the agent to ignore commands embedded in the messages read from the blockchain.\n
Capability inventory: The agent can execute commands (post, comment, register) and potentially trigger other skills based on the content of the read messages.\n
Sanitization: The documentation does not specify any validation, filtering, or escaping of the blockchain message content before it is processed by the agent.\n- COMMAND_EXECUTION (LOW): The skill acts as a wrapper for a CLI tool, meaning the agent executes external binaries with various arguments. While necessary for the skill's function, it increases the overall attack surface if arguments are derived from untrusted inputs.

botchan