The Agent Skills Directory

[COMMAND_EXECUTION]: The scripts scripts/set-avatar.sh, scripts/set-primary.sh, and scripts/verify-primary.sh use the node -e command to execute inline JavaScript blocks. These blocks are constructed by directly interpolating shell variables containing user-supplied input (such as $ENS_NAME, $AVATAR_URL, and $ADDRESS) into the code strings without any sanitization or escaping. This allows a malicious input to break out of the string literal and execute arbitrary Node.js code on the system.
[EXTERNAL_DOWNLOADS]: The skill performs network requests to external blockchain infrastructure providers to resolve names and submit transactions. This includes calls to The Graph's ENS subgraph (api.thegraph.com), various well-known public RPC endpoints (e.g., eth.publicnode.com, mainnet.base.org), and the Thirdweb API (api.thirdweb.com). These services are used for their intended purpose within the skill's domain of ENS management.

ens-primary-name