The Agent Skills Directory

REMOTE_CODE_EXECUTION (HIGH): In scripts/get-agent.sh, the result of an Ethereum RPC call ($RESULT) is interpolated directly into a node -e command string. Because the RPC response (the tokenURI on the blockchain) is attacker-controlled data, an adversary can craft a specific response containing single quotes and JavaScript commands (e.g., process.exit() or require('child_process').exec(...)) to execute arbitrary code on the host machine.
REMOTE_CODE_EXECUTION (HIGH): The scripts register-http.sh, register.sh, update-profile.sh, and register-onchain.sh all use the pattern node -e "... '$VARIABLE' ...". These variables are sourced from environment variables or previous script outputs. If an agent populates these variables using unsanitized user input, it allows for command injection into the Node.js runtime.
EXTERNAL_DOWNLOADS (MEDIUM): scripts/get-agent.sh fetches content from arbitrary IPFS gateways and HTTP URLs provided by the blockchain. This behavior can be exploited for Server-Side Request Forgery (SSRF) or used to pull malicious payloads into the execution environment.
INDIRECT_PROMPT_INJECTION (LOW): The skill processes untrusted external data which could influence agent behavior.
Ingestion points: scripts/get-agent.sh reads and outputs content from arbitrary URIs.
Boundary markers: Absent. The external content is printed directly to the agent's context without delimiters.
Capability inventory: The skill can trigger financial transactions via bankr and upload data to IPFS.
Sanitization: None. The scripts use jq for formatting but do not sanitize the actual string content against prompt injection patterns.
COMMAND_EXECUTION (LOW): The skill depends on bankr, an external CLI tool. While the tool is a legitimate utility, the skill assumes its presence and uses it to execute high-value transactions based on constructed calldata.

erc-8004