The Agent Skills Directory

[COMMAND_EXECUTION]: The skill uses Bash(curl) and Bash(jq) to perform HTTP POST requests and process JSON responses. These tools are restricted to the specific vendor API domain and standard data parsing.
[EXTERNAL_DOWNLOADS]: Communicates with https://skillsapi.haedal.xyz to fetch transaction data and reward lists. The domain matches the skill author ('haedal') and represents legitimate vendor infrastructure.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection through data returned from the API (e.g., the unstake tickets list or error messages), which the agent is instructed to present to the user.
Ingestion points: API response body from get_unstake_tickets_list and the msg field in non-200 responses in SKILL.md.
Boundary markers: None identified in the prompt templates.
Capability inventory: Access to Bash(curl), Bash(jq), and file system tools (Read, Write, Edit, Glob, Grep).
Sanitization: No explicit sanitization or escaping of the API-provided strings is mentioned before presentation to the user.

haedal-hasui