The Agent Skills Directory

[EXTERNAL_DOWNLOADS]: The skill downloads ZK-SNARK circuit files (.zkey and .wasm) from a CloudFront CDN (d3j9fjdkre529f.cloudfront.net). These assets are required for the privacy-preserving cryptographic operations (Groth16 proofs) performed locally by the agent.
[COMMAND_EXECUTION]: The skill uses child_process.execSync in premium.cjs to invoke other scripts within the same skill package (pay-invoice.cjs). This is used to chain payment fulfillment with API requests and does not involve executing external or untrusted binary commands.
[CREDENTIALS_SAFE]: Private keys are stored locally in the user's home directory (~/.veilpay/wallet.json) with restricted file permissions (0o600), ensuring that the agent's secrets are not accessible to other users on the system. It also supports loading keys via environment variables for flexible deployment.
[DATA_EXPOSURE]: The skill interacts with vendor-owned domains (veilpayments.xyz) and public Solana RPC nodes to facilitate transactions. A fund-sweeping mechanism is present in claim-link.cjs to move leftover SOL from ephemeral accounts to a vendor-controlled overage wallet; this behavior is transparently documented as a service fee/management mechanism.
[INDIRECT_PROMPT_INJECTION]: Several scripts ingest JSON data (invoices) from external sources. The skill includes validation logic (validateInvoice) to ensure the data adheres to the expected schema before processing it for cryptographic proofs.

veilpay