The Agent Skills Directory

[DATA_EXFILTRATION] (LOW): The skill communicates with the external domain 'rpc.starknet.lava.build' for RPC services. This domain is not included in the predefined whitelist of trusted external sources.- [PROMPT_INJECTION] (LOW): A vulnerability surface for indirect prompt injection was identified. 1. Ingestion points: User-provided data enters through the 'address', 'amount', 'memo', and 'logo_path' parameters in 'qr_generator.py'. 2. Boundary markers: Absent; user input is interpolated into strings and file operations without delimiters or instructions to ignore embedded content. 3. Capability inventory: Includes network operations for blockchain interactions in 'starknet_client.py' and file system writes in 'qr_generator.py'. 4. Sanitization: Address checksumming is implemented, but transaction memos and the 'logo_path' parameter lack validation or sanitization.- [CREDENTIALS_UNSAFE] (SAFE): The skill adheres to security best practices by recommending the use of environment variables for the 'MINI_PAY_PRIVATE_KEY' and 'TELEGRAM_BOT_TOKEN' instead of hardcoding them within the scripts.

starknet-mini-pay