The Agent Skills Directory

EXTERNAL_DOWNLOADS (HIGH): The skill frequently executes npx awal@latest. Use of npx fetches code from the npm registry, and the @latest tag ensures the most recent version is used every time, providing no version pinning or integrity verification. An attacker who gains control of the 'awal' package could execute arbitrary code on the user's system.
REMOTE_CODE_EXECUTION (HIGH): Executing unversioned packages from a public registry (npm) via npx is a form of remote code execution, as the logic being run is controlled by an external party and downloaded at execution time.
COMMAND_EXECUTION (LOW): The skill requires the Bash tool to run marketplace commands. While the commands themselves (search, list, details) are restricted to the awal binary, the reliance on an external binary downloaded at runtime escalates the risk.
INDIRECT PROMPT INJECTION (MEDIUM): The skill retrieves API schemas, descriptions, and payment details from an external, third-party 'bazaar' marketplace.
Ingestion points: npx awal@latest x402 bazaar search/list and npx awal@latest x402 details <url>.
Boundary markers: None. The agent is not instructed to ignore instructions embedded in the search results or API schemas.
Capability inventory: The agent uses these results to decide on services to call and payments to initiate, typically followed by the pay-for-service skill.
Sanitization: None. The tool returns raw data (potentially JSON) from the marketplace for the agent to process. An attacker listing a service in the bazaar could include malicious instructions in the 'description' or 'schema' fields to influence the agent's behavior.

search-for-service