The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill instructs the user to install its CLI tool using a piped-to-shell pattern in SKILL.md and references/setup.md (curl -sSL http://agents.allium.so/cli/install.sh | sh). This executes code from a remote server without providing an opportunity for verification before execution.
[CREDENTIALS_UNSAFE]: The setup instructions in references/setup.md require the agent to collect highly sensitive information from the user, including blockchain private keys (for Tempo/x402 auth) and Privy managed wallet secrets (App ID, Secret, Wallet ID). These credentials are then passed as cleartext command-line arguments to the allium auth setup command, potentially exposing them in shell history and system process lists.
[COMMAND_EXECUTION]: The skill relies on the execution of the allium CLI tool with various subcommands and dynamically generated flags to perform blockchain queries.
[EXTERNAL_DOWNLOADS]: The skill retrieves documentation files from https://docs.allium.so/llms.txt to discover schemas and supported chains at runtime.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection due to its processing of untrusted on-chain data.
Ingestion points: Untrusted data such as token names, symbols, and transaction labels are ingested via the allium CLI output across all realtime reference files.
Boundary markers: There are no markers or instructions used to distinguish between data and agent instructions.
Capability inventory: The skill has the capability to execute shell commands and generate SQL queries based on ingested data (references/explorer.md).
Sanitization: No sanitization or validation mechanisms are described for the data retrieved from blockchain sources.

allium-data