The Agent Skills Directory

[COMMAND_EXECUTION]: The script scripts/trade.mjs is vulnerable to shell command injection. It constructs a shell command string by concatenating user-provided arguments wrapped in single quotes without escaping characters. An attacker or a malicious prompt could use a single quote to break out of the intended argument and execute arbitrary commands on the host system.
[PROMPT_INJECTION]: The skill provides a way to circumvent the mandatory two-step trade confirmation process. While SKILL.md explicitly forbids automatic confirmation, the scripts/auto-trade.mjs script uses an environment variable (AICOIN_INTERNAL_CALL) to bypass the confirmation check in the core trading logic, allowing the agent to execute trades without presenting a preview to the user.
[EXTERNAL_DOWNLOADS]: scripts/exchange.mjs contains logic to automatically install the ccxt package at runtime via npm install if the dependency is missing. This introduces a risk of remote code execution if the package registry is compromised or if typosquatting occurs.
[CREDENTIALS_UNSAFE]: lib/defaults.json contains hardcoded API keys (accessKeyId) and secrets (accessSecret) for the AiCoin platform. While these appear to be for a public free tier, hardcoding secrets in skill files is a poor security practice.
[DATA_EXFILTRATION]: Multiple scripts, including lib/aicoin-api.mjs and scripts/api-key-info.mjs, search for and read .env files in multiple directories (current working directory, home directory, and specific application paths). The findings, including the full file paths and partial previews of the keys, are printed to the console where they are visible to the agent.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8). It ingests data from external APIs and exchange tickers and uses this untrusted data to perform high-stakes financial operations (trading) without sufficient boundary markers or sanitization of the incoming data streams.

aicoin-trading