The Agent Skills Directory

Remote Code Execution (CRITICAL): The file scripts/bootstrap.sh contains a pattern for piped remote execution (curl -L https://foundry.paradigm.xyz | bash). While presented as an installation instruction for prerequisites, this constitutes a direct RCE vector if the agent or user executes the suggested command from an untrusted source.
Indirect Prompt Injection (HIGH): The skill processes untrusted data from blockchain RPC providers (Category 8). Specifically, src/pool-info.ts and src/approve.ts fetch token symbols and decimals using token.symbol() and token.decimals(). Malicious token contracts can return crafted strings designed to influence agent behavior. Since the skill has 'write' capabilities (executing swaps and approvals via src/swap.ts), this is a high-risk surface.
Ingestion points: RPC responses in src/pool-info.ts (token metadata) and src/quote.ts (pool state).
Boundary markers: Absent. External strings are interpolated directly into logs and potentially the agent context.
Capability inventory: subprocess.run (Python), ethers.js transaction signing, and shell command execution via cast.
Sanitization: Strict regex validation exists for addresses and integers in src/lib/validation.ts, but does not apply to token metadata like symbols.
Command Execution (MEDIUM): The skill relies on a hybrid execution model where TypeScript scripts call Python scripts (scripts/v4_read.py), which in turn spawn subprocesses calling the cast binary. While arguments are partially validated, the complexity of this chain increases the risk of command injection if validation is bypassed.
External Downloads (MEDIUM): The skill depends on external binaries (node, python3, jq, cast) and remote scripts without verifying integrity hashes or using pinned versions for non-npm dependencies.

uniswap-v4