The Agent Skills Directory

[COMMAND_EXECUTION] (HIGH): The skill constructs shell commands by interpolating unvalidated user inputs (Wallet directory, Network magic) directly into Bash commands. Evidence: Ingestion points in Step 1 (wallet-dir, magic) are used in mkdir -p <wallet-dir> (Step 2) and cardano-cli ... --testnet-magic <magic> (Step 4). Capability inventory includes Bash(mkdir:*) and Bash(cardano-cli:*). Boundary markers are absent for these variables, and no sanitization logic is present, allowing for command injection (e.g., using ; or backticks in the directory path).
[CREDENTIALS_UNSAFE] (HIGH): The skill is designed to generate and handle sensitive Cardano private keys (.skey). While it contains operational rules to chmod 600 and 'NEVER display .skey' contents, the availability of Bash(cat:*) and Read tools provides a direct technical path for these keys to be accessed and ingested into the model's context or exfiltrated.
[DATA_EXFILTRATION] (MEDIUM): The exposure of private cryptographic keys, combined with the agent's capability to read files and communicate with the user, creates a risk of data exfiltration. While explicit network tools like curl are not enabled, the high sensitivity of the data being handled increases the potential impact of a compromise.

cardano-cli-wallets-operator