The Agent Skills Directory

Unverifiable Dependencies & Remote Code Execution (HIGH): The wrapper script scripts/cardano-cli.sh pulls and executes the Docker image ghcr.io/intersectmbo/cardano-node:latest. Since the organization intersectmbo is not on the provided list of trusted GitHub entities, this constitutes an unverified remote code execution vector.\n- Data Exposure & Exfiltration (HIGH): The script mounts the user's current working directory ($PWD) into the container with read/write access (-v "$PWD":/work). This exposes all local files in the execution directory to the unverified Docker image. Documentation templates in the skill explicitly reference sensitive Cardano private keys (e.g., wallets/alice/payment.skey), which would be exposed to the container environment via this volume mount.\n- Indirect Prompt Injection (LOW): The skill processes untrusted data from files like datum.json and redeemer.json and interpolates them into commands. It lacks boundary markers or sanitization to prevent malicious content in these files from influencing agent behavior. Ingestion points: SKILL.md, reference/script-spend-template.md; Boundary markers: Absent; Capability inventory: cardano-cli execution via Docker, filesystem access; Sanitization: Absent.\n- Dynamic Execution (MEDIUM): The scripts/cardano-cli.sh script dynamically constructs and executes command-line arguments using exec and shell variable expansion, which presents a surface for potential command manipulation.

cardano-cli-plutus-scripts