The Agent Skills Directory

[CREDENTIALS_UNSAFE]: Hardcoded API credentials (accessKeyId and accessSecret) are present in lib/defaults.json. Although these are identified in comments as public keys for a free tier provided by the vendor, embedding credentials within the skill's source files is a security risk.
[COMMAND_EXECUTION]: The script scripts/exchange.mjs uses execSync to run npm install if the ccxt library is not detected during execution. This runtime modification of the environment via shell commands bypasses static dependency management.
[EXTERNAL_DOWNLOADS]: The skill makes network requests to open.aicoin.com to verify user subscription tiers and retrieve market data.
[PROMPT_INJECTION]: The skill has an indirect prompt injection surface as it processes data from external financial APIs and exchange platforms.
Ingestion points: External data enters the agent context via apiGet calls in lib/aicoin-api.mjs and financial data fetched from exchanges via the ccxt library in scripts/exchange.mjs.
Boundary markers: No specific boundary markers or instructions to ignore embedded content were found when processing API responses.
Capability inventory: The skill has capabilities including shell command execution (execSync for npm installation), file system writes (writeFileSync for pending orders), and network operations (fetch).
Sanitization: External data is primarily processed and displayed using standard JSON stringification.

aicoin-account