The Agent Skills Directory

[Unverifiable Dependencies] (MEDIUM): The skill's installation instructions (SKILL.md) and reference files (references/api-reference.md) specify dependencies on @hot-labs/near-connect and near-api-js. These packages and their maintainers are not within the defined trusted organization scope.
[Indirect Prompt Injection] (HIGH):
Ingestion points: Untrusted data enters the agent context through the args parameter in viewFunction and callFunction, the message field in signNEP413Message, and receiverId in transfer (found in references/api-reference.md).
Boundary markers: There are no markers or delimiters specified to distinguish between developer instructions and untrusted external data.
Capability inventory: The skill provides methods for transfer (moving funds), callFunction (modifying blockchain state), and signAndSendTransaction (arbitrary blockchain actions). These are high-impact capabilities with significant side effects.
Sanitization: No evidence of input validation or sanitization is present in the examples or API definitions.
[Privilege Escalation] (HIGH): The library exposes Actions.addFullAccessKey and addFunctionCallKey (SKILL.md, references/api-reference.md). A malicious instruction could trick the agent into adding a full access key controlled by an attacker, leading to total account takeover. The deleteKey capability also allows for the removal of existing security measures.
[Command Execution] (LOW): The skill documentation encourages the execution of npm install for third-party packages. While standard for development, in an automated agent context, this involves executing shell commands to fetch external code.

near-connect-hooks