The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill instructs the agent to execute the CLI tool xno-skills using package runners such as bunx, pnpm dlx, or npx. It explicitly mandates the use of the @latest tag, which directs the agent to download and run the most recent version of the package from the public npm registry at runtime.
[REMOTE_CODE_EXECUTION]: By recommending npx -y xno-skills@latest, the skill performs dynamic execution of external code. Although the package appears to be a vendor-owned resource, the lack of version pinning introduces a supply chain risk where a compromised package update could be automatically executed by the agent without user intervention.
[INDIRECT_PROMPT_INJECTION]: The skill processes external data from the Nano blockchain and various RPC providers (e.g., account balances, pending blocks, and transaction history) which can be influenced by third parties.
Ingestion points: Untrusted data enters the agent context through the balance and receive tools, as well as the wallet:// MCP Resource URIs, which fetch state from public RPC nodes.
Boundary markers: The instructions do not specify the use of delimiters or specific "ignore embedded instructions" warnings for data retrieved from the blockchain.
Capability inventory: The skill possesses significant capabilities, including executing shell commands (xno-skills), performing network operations (RPC requests), and managing financial transactions via the OWS bridge.
Sanitization: There is no evidence of validation or sanitization of the transaction metadata or blockchain state before it is processed by the agent's logic.
[COMMAND_EXECUTION]: The skill relies on shell command execution via Node.js package runners to perform core wallet operations. While it includes safety instructions to avoid custom scripts or curl, the reliance on shell-based CLI tools increases the overall attack surface.

nano-mcp-wallet