The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill is designed to ingest untrusted data from the Bankr API and the Base blockchain (specifically token names and market research) as documented in SKILL.md. Evidence Chain: 1. Ingestion: bankr.sh is used to fetch 'trending tokens' and 'sentiment'. 2. Boundary markers: None are defined in the instructions for processing this external content. 3. Capability inventory: The agent has high-privilege capabilities including buying/selling tokens and setting stop losses. 4. Sanitization: There is no evidence of validation or filtering for external data. This creates a surface where an attacker could name a token with malicious instructions to hijack the agent's trading logic.\n- Command Execution (HIGH): The scripts/log-trade.sh file uses an unquoted heredoc (cat <<EOF) to construct a JSON object using shell variables. In bash/sh, this allows shell variable expansion and subshell execution within the heredoc. If the REASON or TOKEN parameters provided by the agent (which may come from untrusted external sources) contain payloads like $(id), the command will be executed by the underlying system.\n- External Downloads & Dependencies (MEDIUM): The skill relies heavily on a non-standard component called 'Bankr' and suggests installation via 'ClawdHub' (as seen in README.md). Neither the dependency nor the registry are in the list of trusted sources, posing a supply chain risk where malicious code could be introduced through these external scripts.\n- Metadata Poisoning & Misleading Content (MEDIUM): The skill's metadata and philosophy sections use 'flavor' text and personas that are deceptive. While claiming to prioritize 'safety' and 'capital preservation', the underlying code contains the high-severity vulnerabilities mentioned above, suggesting a lack of actual security review despite the authoritative claims.

base-trader