The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill fetches the onchainos CLI installer and binary updates from the vendor's official GitHub repository (github.com/okx/onchainos-skills). These are vendor-owned resources necessary for the skill's functionality.
[REMOTE_CODE_EXECUTION]: During the setup phase, the agent is instructed to download and execute installer scripts (install.sh or install.ps1) from the OKX GitHub repository. This pattern is documented as safe given the source and primary purpose of the skill.
[COMMAND_EXECUTION]: The skill requires the execution of shell commands and the onchainos binary to perform portfolio management tasks and handle CLI installation/updates.
[SAFE]: The skill implements robust security controls by mandating the verification of SHA256 checksums for both the installer script and the compiled CLI binary before execution, ensuring the integrity of the local environment.
[PROMPT_INJECTION]: The skill accounts for the risk of indirect prompt injection from external blockchain data.
Ingestion points: Token names, symbols, and wallet asset descriptions returned by the onchainos CLI (found in SKILL.md).
Boundary markers: The instructions explicitly direct the agent to treat all data returned from the CLI as untrusted and to never interpret it as instructions.
Capability inventory: The agent uses the onchainos CLI for data lookup and potentially coordinates subsequent actions like token swaps.
Sanitization: Instructions include a warning to treat token metadata as potentially inaccurate and to verify contract addresses for high-value holdings.

okx-wallet-portfolio