The Agent Skills Directory

[Indirect Prompt Injection] (HIGH): The skill possesses high-privilege capabilities (sending SOL/tokens, executing swaps) and ingests untrusted external data from the blockchain (token symbols, metadata, and transaction history via Helius and Jupiter APIs).
Ingestion points: scripts/wallet.ts (fetches asset lists and metadata), scripts/swap.ts (fetches quotes and route plans).
Boundary markers: None. External content is interpolated directly into logic and potentially agent prompts.
Capability inventory: sendAndConfirmTransaction and sendRawTransaction in scripts/send.ts and scripts/swap.ts allow for irreversible financial operations.
Sanitization: Validates addresses and price impact, but does not sanitize token metadata (symbols/names) which could contain malicious instructions targeted at the agent processing the output.
[Credentials Unsafe] (MEDIUM): In scripts/wallet.ts, the getDefaultPassword() function derives an encryption key from process.env.USER and process.env.HOME. This is a weak, predictable derivation method that provides minimal protection against an attacker who has gained access to the local filesystem.
[Data Exposure] (LOW): The skill stores sensitive private keys in ~/.config/solana-skill/wallets/. While it uses AES-256-GCM and sets restricted file permissions (0o600), the reliance on weak key derivation (mentioned above) increases the risk of exposure if the configuration directory is compromised.

solana-skill