The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill manages highly sensitive BIP39 mnemonics and seeds for cryptocurrency wallets. The documentation explicitly states that when persistence is enabled, this data is stored as plaintext JSON in the .xno-mcp/wallets.json file. Storing private cryptographic keys without encryption is a critical security vulnerability that exposes funds to any user or process with read access to the filesystem.
[DATA_EXFILTRATION]: The skill's architecture involves sending transaction data and account queries to external RPC nodes. While the provided examples (e.g., rpc.nano.org, app.natrium.io) are well-known services in the Nano ecosystem, the configuration allows for any arbitrary rpcUrl or workUrl to be specified, which could be used to route transaction data to attacker-controlled endpoints.
[COMMAND_EXECUTION]: The skill utilizes several MCP tools (wallet_create, wallet_send, wallet_receive, config_set) that execute logic to manage private keys and perform network operations. These tools possess the capability to perform irreversible financial transactions (wallet_send).
[EXTERNAL_DOWNLOADS]: The skill references and encourages communication with external Nano node RPC endpoints for blockchain operations. It also mentions the use of WASM or WebGPU for local Proof-of-Work (PoW) generation, which may involve loading external execution modules.

mcp-wallet