The Agent Skills Directory

[COMMAND_EXECUTION]: The skill relies on the execution of the @solana-compass/cli tool to perform sensitive wallet operations, balance checks, and blockchain transactions. These commands are executed via the local shell environment.
[REMOTE_CODE_EXECUTION]: The skill uses npx @solana-compass/cli@latest, which involves downloading and executing arbitrary code from the public NPM registry at runtime. This bypasses static analysis of the tool's behavior and relies on the security of the remote package.
[EXTERNAL_DOWNLOADS]: The skill instructions specify fetching and running code from the NPM registry, which is a non-trusted source for this specific package.
[DATA_EXFILTRATION]: The sol fetch command supports the x402 protocol, which enables the automated signing and sending of USDC payments to remote HTTP servers when a '402 Payment Required' response is received. This capability could be used to exfiltrate funds if an agent is directed to a malicious endpoint.
[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection due to its extensive use of external data sources.
Ingestion points: Data enters the agent's context through sol fetch (arbitrary URLs), sol token browse (token metadata), and sol predict search/list (prediction market event data).
Boundary markers: The documentation does not specify the use of delimiters or 'ignore' instructions for the data returned by these commands.
Capability inventory: The agent has access to high-privilege commands such as token send, token swap, stake new, and lend deposit across multiple files (SKILL.md, trading-commands.md, staking-commands.md, lending-commands.md).
Sanitization: There is no evidence of sanitization or filtering of external content before it is processed by the agent, allowing potential instructions embedded in metadata or response bodies to influence the agent's behavior.

solana-payments-wallets-trading