The Agent Skills Directory

PROMPT_INJECTION (HIGH): The skill is highly vulnerable to indirect prompt injection. It takes external data and user-controlled inputs and places them directly into natural language prompts sent to another agent (Bankr) without using boundary markers or sanitization. \n
Ingestion points: Untrusted data enters via the Bankr API response in scripts/veil-bankr-prompt.sh and via the transaction JSON (which could be controlled by other tools) in scripts/veil-bankr-submit-tx.sh.\n
Boundary markers: Absent. The prompt in scripts/veil-bankr-submit-tx.sh is built using simple string concatenation (PROMPT+="$TX_JSON").\n
Capability inventory: The skill can execute local binaries via node, perform network operations via curl, and initiate on-chain transactions (withdraw, transfer, deposit).\n
Sanitization: While it checks for basic JSON fields, it does not sanitize the contents of those fields, allowing an attacker to inject instructions that might be followed by the signing agent.\n- EXTERNAL_DOWNLOADS (MEDIUM): The skill relies on cloning a repository from github.com/veildotcash/veildotcash-sdk or installing @veil-cash/sdk from npm. Neither source is included in the Trusted External Sources list defined in the security framework.\n- REMOTE_CODE_EXECUTION (MEDIUM): The skill executes code from the downloaded external SDK repository using node in several scripts (e.g., _common.sh, veil-init.sh). This is execution of unverifiable code from an untrusted source.\n- CREDENTIALS_UNSAFE (LOW): The skill manages a private key (VEIL_KEY) stored in a local .env.veil file. Although it correctly sets file permissions to 600, the script scripts/veil-keypair.sh is designed to output this private key to the console, making it accessible to the agent and susceptible to leakage via prompt injection.\n- DATA_EXFILTRATION (LOW): The skill performs network operations to api.bankr.bot and potentially other RPC URLs that are not on the whitelisted domains list.

veil