The Agent Skills Directory

[COMMAND_EXECUTION]: The script agent-wallet.js performs blockchain state queries and transaction submissions via the Koios API, which is the intended and documented functionality of the skill.
[DATA_EXFILTRATION]: All network operations are directed to well-known Cardano infrastructure (Koios API). No patterns of unauthorized data transmission or exfiltration of sensitive key material were detected.
[CREDENTIALS_UNSAFE]: The skill manages private keys using environment variables and local files. It sets secure file permissions (chmod 600) and includes explicit instructions to avoid using mnemonics, minimizing the risk of credential exposure.
[INDIRECT_PROMPT_INJECTION]: The skill accepts unsigned transaction hex from external sources (TX_CBOR_HEX); while this creates an ingestion point for external data, the risk is inherent to the wallet's primary purpose of signing transactions, and the documentation emphasizes using trusted sources.

koios-agent-wallet