The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill processes untrusted external data (UTXOs, Pool IDs, Reward amounts) while possessing high-privilege capabilities (signing and submitting blockchain transactions).
Ingestion points: The agent is expected to fetch <utxo>#<index>, <pool-id-bech32>, and <reward-amount> from external sources (block explorers or APIs) to populate commands.
Boundary markers: Absent. There are no delimiters or instructions to ignore embedded commands within the fetched data.
Capability inventory: Uses Bash(cardano-cli:*) for signing (transaction sign) and submission (transaction submit), and Write for file creation.
Sanitization: None detected. The agent directly interpolates external values into shell commands.
[Data Exposure] (HIGH): The skill explicitly grants the agent access to sensitive private key files (payment.skey, stake.skey).
Evidence: The workflow requires passing these files to cardano-cli conway transaction sign in multiple steps. If the agent is compromised via indirect injection, these keys could be used to authorize unauthorized transfers.
[Command Execution] (MEDIUM): The skill allows the agent to execute any cardano-cli or cat command.
Evidence: allowed-tools includes Bash(cardano-cli:*) and Bash(cat:*), which provides broad control over the local Cardano node and file reading capabilities beyond just the staking workflow.

cardano-cli-staking-operator