The Agent Skills Directory

The skill 'moonpay' has been analyzed for security vulnerabilities across all provided files (README.md, SKILL.md, _meta.json).

Prompt Injection: No patterns indicative of prompt injection (e.g., 'IMPORTANT: Ignore', 'override instructions') were found in any of the skill's instructions or metadata.
Data Exfiltration: The skill requires MOONPAY_API_KEY and MOONPAY_SECRET_KEY as environment variables, which is a secure practice. The API_KEY is sent in curl requests to https://api.moonpay.com for authentication, which is standard API usage. The SECRET_KEY is used locally with openssl dgst -sha256 -hmac for URL signing and webhook verification, without being transmitted over the network. No attempts to read or exfiltrate sensitive local files (e.g., ~/.ssh/id_rsa, ~/.aws/credentials) were detected. All network communication is with legitimate MoonPay domains (api.moonpay.com, buy.moonpay.com).
Obfuscation: No obfuscation techniques such as Base64 encoding, zero-width characters, Unicode homoglyphs, or excessive URL/hex/HTML encoding were found in the skill's content.
Unverifiable Dependencies: The skill's installation method clawdhub install moonpay indicates it is an external dependency. The _meta.json file points to a GitHub commit (https://github.com/clawdbot/skills/commit/...), suggesting traceability to a specific version within the clawdbot organization. Assuming clawdbot is a trusted organization for the agent platform, this is considered a trusted external source. The skill explicitly requires curl and jq binaries, which are standard system tools and not third-party libraries with unknown code. This finding is downgraded to INFO/LOW due to the trusted source.
Privilege Escalation: No commands indicating privilege escalation (e.g., sudo, doas, chmod 777, modifications to system files or services) were found.
Persistence Mechanisms: No attempts to establish persistence (e.g., modifying .bashrc, crontab, authorized_keys, or systemd services) were detected.
Metadata Poisoning: The name, description, and metadata fields in SKILL.md, as well as the _meta.json file, were free of any malicious instructions or hidden content.
Indirect Prompt Injection: The skill processes user input (e.g., for quotes, transaction IDs) and mentions webhook events. As such, it is inherently susceptible to indirect prompt injection if malicious instructions are embedded in the data it processes. This is a general risk for LLM agents and is noted as an INFO-level concern, not a specific vulnerability in the skill's code.
Time-Delayed / Conditional Attacks: No conditional logic (e.g., if statements based on dates, times, usage counts, or specific environment variables) that could trigger delayed or conditional malicious behavior was found.

Conclusion: The skill demonstrates good security practices in handling sensitive credentials and interacting with external APIs. No direct malicious patterns or significant vulnerabilities were identified in its code. The primary considerations are the general risks associated with external dependencies (mitigated by a trusted source) and indirect prompt injection (an inherent risk for interactive AI skills).