The Agent Skills Directory

[Unverifiable Dependencies] (MEDIUM): The skill instructs the agent to install the blockrun-llm package using pip. This package originates from an unverified source not included in the trusted organizations or repositories list. Installation of third-party packages can lead to arbitrary code execution during the setup phase.
[Data Exposure] (MEDIUM): The skill manages sensitive wallet session tokens and potentially private keys in the directory $HOME/.blockrun/.session. This file represents a high-value target for credential exfiltration, as it provides access to the user's funded wallet.
[COMMAND_EXECUTION] (LOW): The skill requests extensive permissions via allowed-tools, including Bash(pip:*) and Bash(python:*). This high-privilege configuration is used to maintain the SDK but increases the risk if the agent is manipulated into running malicious commands.
[Indirect Prompt Injection] (LOW): The skill ingests untrusted data from external sources like X/Twitter (via Grok) and other LLMs, which may contain malicious instructions designed to hijack the agent's behavior.
Ingestion points: Data returned from client.chat() and external image metadata.
Boundary markers: Absent. The provided examples do not demonstrate the use of delimiters or 'ignore' instructions for the external content.
Capability inventory: The skill has access to Bash (Python/Pip) and Read tools, which could be abused if an injection is successful.
Sanitization: No sanitization or validation of the content received from external APIs is mentioned in the skill definition.

blockrun