The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructs the agent to access sensitive local files including ~/.config/solana/id.json and .env files to retrieve private keys for signing blockchain transactions.\n- [COMMAND_EXECUTION]: The skill performs various shell operations including directory creation, environment configuration via npm pkg set, and the execution of a custom TypeScript script using node or tsx.\n- [DATA_EXFILTRATION]: The skill reads local credentials and performs network requests to Jupiter's API (token-verification-dev-api.jup.ag). While it is designed to only transmit signed transactions and explicitly warns against printing or sending raw secrets, the combination of credential access and network capability is a sensitive pattern.\n- [REMOTE_CODE_EXECUTION]: The skill generates an executable script (pay.ts) at runtime using an embedded template and user-provided configuration, which is then executed to perform signing and submission logic.\n- [EXTERNAL_DOWNLOADS]: The skill installs several standard Node.js packages from the public npm registry, such as @solana/web3.js, @solana/spl-token, and dotenv, to support its operations.\n- [SAFE]: The skill implements proactive security controls by including logic within the generated script to verify the transaction's instruction count, program ID, transfer amount, and destination address locally before applying a signature.

jupiter-vrfd