The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill contains a hardcoded production API key ('lv2_prod_5e5f38fefc893ade780d8a2ccd7433ad8307808c83260e75') in SKILL.md and templates/client.ts. Although the documentation states this is a public integration key for fee routing, hardcoding keys labeled as production in client-side code is a noted security concern.
[EXTERNAL_DOWNLOADS]: The skill makes network requests to 'https://api.lavarage.xyz' to retrieve token data, market offers, and transaction payloads.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its handling of external API data for transaction building. 1. Ingestion points: Market offers, quotes, and transaction templates are fetched from the external URL 'https://api.lavarage.xyz'. 2. Boundary markers: No delimiters or specialized instructions are present to prevent the agent from being influenced by potentially malicious data within the API responses. 3. Capability inventory: The skill has the capability to sign and submit Solana transactions via the 'submitTransaction' and 'submitBundle' methods in the LavaApiClient. 4. Sanitization: There is no client-side validation of the transaction structure or target addresses received from the API before the user is prompted to sign.

lavarage