The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests untrusted data from multiple external sources and processes it through a language model to build execution plans.
Ingestion points: External data enters the context via connector.peer_market.get (market quotes), connector.peer_analytics.get (protocol performance), connector.peer_explorer.get (entity/intent lookups), and connector.peer_activity.get (live protocol event monitoring) as defined in the workflow in SKILL.md.
Boundary markers: The skill's instructions and script logic do not define clear delimiters or provide instructions to the agent to ignore potentially embedded commands within the ingested data.
Capability inventory: The skill possesses the capability to construct and influence execution plans based on this data through the connector.model.post tool, as described in the SKILL.md workflow summary.
Sanitization: There is no evidence of sanitization, structured validation, or escaping of the external content before it is interpolated into the model's context.
[DATA_EXFILTRATION]: The script scripts/agent.py contains a helper function _check_serenbucks_balance that communicates with api.serendb.com to retrieve balance information using an authorization token. This domain is identified as part of the skill author's infrastructure for account management and is used for standard balance monitoring tasks. This functionality is defined but not currently invoked by the main execution path.

peer-to-peer-payments-exchange