The Agent Skills Directory

CREDENTIALS_UNSAFE (HIGH): The documentation in wallet-setup.md instructs the agent to generate and log private keys to the console using node -e "...console.log('WALLET_PRIVATE_KEY=' + privateKey)". This facilitates the accidental exposure of sensitive credentials in system logs or agent output.
REMOTE_CODE_EXECUTION (HIGH): The skill directs the agent to run npx add-wallet, which downloads and executes unverified code from the npm registry. This bypasses security reviews and allows for arbitrary code execution at runtime.
EXTERNAL_DOWNLOADS (MEDIUM): The skill relies on several unverifiable packages from the @x402/ scope, such as @x402/core, @x402/evm, and @x402/svm, which are not from trusted organizations.
COMMAND_EXECUTION (MEDIUM): Recommends piping inputs (echo "1" | npx ...) to bypass interactive CLI prompts in non-TTY environments. While helpful for automation, this pattern can be exploited to execute privileged actions without human validation.
PROMPT_INJECTION (LOW): Includes specific instructions targeted at AI agents ('IMPORTANT FOR AI AGENTS') to modify their behavior when interacting with CLI tools, effectively overriding default interaction patterns.

buy