The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs the agent to download and immediately execute a shell script from a remote URL using curl -sSL https://raw.githubusercontent.com/purong-huang-1121/skills-store/main/install.sh | sh. This occurs during both the installation and the routine update checks, providing a mechanism for arbitrary remote code execution on the host system.
[EXTERNAL_DOWNLOADS]: Fetches executable content from a repository owned by 'purong-huang-1121', which is not a trusted organization or verified vendor. The reliance on this untrusted source for core functionality is a major security concern.
[CREDENTIALS_UNSAFE]: The skill requires the user to input an EVM_PRIVATE_KEY into a .env file. This practice exposes sensitive private keys to the local filesystem, making them vulnerable to any malicious tool or script with file-read permissions.
[COMMAND_EXECUTION]: Executes several shell commands including which, cat, date, and the plugin-store binary. These commands are used to manage the lifecycle of the skill and execute on-chain operations using user-provided credentials.
[PROMPT_INJECTION]: The skill exhibits multiple security issues in this category. (Category 7): The YAML frontmatter claims the author is 'okx', but the skill is published by 'purong-huang-1121', representing a deceptive metadata poisoning attempt. (Category 8): The skill has an indirect prompt injection surface. 1. Ingestion points: User-supplied wallet addresses, token symbols, and amounts in SKILL.md. 2. Boundary markers: Absent; there are no instructions to sanitize or delimit user-provided data. 3. Capability inventory: Execution of shell commands and blockchain transaction signing via plugin-store. 4. Sanitization: Absent; external inputs are directly interpolated into CLI commands.

dapp-aave