The Agent Skills Directory

[EXTERNAL_DOWNLOADS/REMOTE_CODE_EXECUTION] (HIGH): The skill's documentation and scripts (_common.sh, veil-init.sh) depend on cloning and building an untrusted third-party repository (https://github.com/veildotcash/veildotcash-sdk). The skill then executes the resulting Javascript (node "$SDK_REPO/dist/cli/index.cjs") without any integrity verification, creating a significant supply chain risk.
[PROMPT_INJECTION] (HIGH): The skill is highly vulnerable to indirect prompt injection (Category 8).
Ingestion points: scripts/veil-bankr-submit-tx.sh reads transaction data from stdin or files, and scripts/veil-bankr-prompt.sh takes user-supplied strings as arguments.
Boundary markers: None. The script veil-bankr-submit-tx.sh wraps raw input in a natural language prompt for another agent: Submit this transaction (do not change any fields):\n$TX_JSON.
Capability inventory: The skill can submit transactions that move ETH and communicate with the Bankr API.
Sanitization: None. Input is passed directly into a prompt template. An attacker providing a malicious transaction payload could override the instructions to divert funds.
[CREDENTIALS_UNSAFE/DATA_EXFILTRATION] (HIGH): The skill manages highly sensitive data, including Veil private keys (~/.clawdbot/skills/veil/.env.veil) and Bankr API keys (~/.clawdbot/skills/bankr/config.json). While these are needed for operation, the veil-bankr-prompt.sh script transmits these credentials and user-supplied prompts to an external endpoint (https://api.bankr.bot), presenting an exfiltration risk if the destination or the local environment is compromised.
[COMMAND_EXECUTION] (MEDIUM): The scripts use set -a and source on .env files which may be modified by other processes, potentially leading to environment variable injection and altered command behavior in veil_cli.

veil