The Agent Skills Directory

Indirect Prompt Injection (HIGH): The skill possesses a high-risk attack surface as it is designed to ingest and process external, untrusted smart contract code and directory structures.
Ingestion points: Processes Solidity files in tests/ and scripts/ and reads package.json for dependency versioning.
Boundary markers: Absent. There are no instructions to delimit user code or ignore instructions embedded in code comments (e.g., malicious NatSpec).
Capability inventory: Possesses execution capabilities via forge test, forge script, and forge coverage, which include network broadcasting and local shell access.
Sanitization: Absent. No validation or sanitization of ingested code content before processing.
Unverifiable Dependencies (MEDIUM): The skill instructs the agent to suggest or perform installation of third-party tools that are not from the defined trusted organizations.
Evidence: pip install halmos and pip install certora-cli found in references/formal-verification.md.
Evidence: Instructs the agent to dynamically fetch and read Vm.sol from https://github.com/foundry-rs/forge-std (an untrusted organization per the [TRUST-SCOPE-RULE]).
Command Execution (MEDIUM): The skill provides patterns for executing forge script with the --broadcast and --verify flags, which perform network-based write operations (blockchain transactions) and send data to Etherscan.
Credential Management (LOW): The skill correctly uses placeholders for sensitive environment variables like ETH_FROM, MNEMONIC, and PRIVATE_KEY. While not a finding of hardcoded secrets, these instructions define the context for handling high-value assets that increase the impact of any potential exfiltration or injection attack.

web3-forge