The Agent Skills Directory

Indirect Prompt Injection (LOW): The skill defines patterns where user-provided data (recipient addresses and ADA amounts) are interpolated into bash command templates. This presents a surface for indirect injection if an attacker provides malicious input designed to alter the shell command execution.
Ingestion points: User requests for transaction building (e.g., 'Send 10 ADA to...') in SKILL.md.
Boundary markers: Absent; templates use standard variable interpolation without delimiters.
Capability inventory: The skill references cardano-cli commands including signing and submission, implying a runtime with shell execution capabilities.
Sanitization: Absent; no validation logic is provided for addresses or amounts.
Dynamic Execution (LOW): The skill uses a context block in SKILL.md to execute cardano-cli version, which is a form of runtime command execution. Additionally, reference/tx-send-ada.md contains command substitution patterns ($(cat ...)) that an agent might attempt to execute directly.
Data Exposure & Exfiltration (LOW): The templates in both SKILL.md and reference/tx-send-ada.md explicitly reference sensitive file paths for private signing keys (payment.skey). While the skill warns against exposing keys, providing templates that interact with them increases the risk of accidental exposure during agent processing.

cardano-cli-transactions