The Agent Skills Directory

[PROMPT_INJECTION] (LOW): Indirect Prompt Injection Surface. The launch_token capability in SKILL.md and agent-launcher.ts ingests user-controlled metadata (name, symbol, description) which is then sent to a remote API. The agent subsequently processes and echoes the API response, which could potentially contain malicious instructions if the remote service were compromised.
Ingestion points: args object in launch_token, list_tokens, and get_token capabilities.
Boundary markers: Absent; the agent receives raw strings or interpolated data from the API response.
Capability inventory: Subprocess calls via the OpenServ SDK to interact with the blockchain and network requests via axios.
Sanitization: Input is structurally validated using zod, but there is no natural language filtering for instructions in fields like description.
[EXTERNAL_DOWNLOADS] (LOW): The skill relies on several external Node.js packages. While axios, zod, and dotenv are industry standards, the specialized SDKs (@openserv-labs/sdk, @openserv-labs/client) are from an organization not included in the predefined trusted list. Additionally, SKILL.md suggests using npx to update or install skills from the same untrusted repository.
[DATA_EXFILTRATION] (LOW): The skill performs network operations to https://instant-launch.openserv.ai. This domain is not on the global whitelist. However, the traffic is limited to the skill's stated purpose (token deployment and querying) and does not involve accessing sensitive local file paths like SSH keys or AWS credentials.

openserv-launch