The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill instructs the agent to read the sensitive file path ~/.onchainos/.env to check for an EVM_PRIVATE_KEY. While this is described as a local signing fallback, accessing a user's private key file directly exposes highly sensitive credentials to the agent's context.
[COMMAND_EXECUTION]: The skill is vulnerable to command injection because it populates CLI arguments for the onchainos tool using raw data received from untrusted external HTTP responses. Specifically, the --challenge parameter in mpp.md and the --accepts parameter in x402.md are derived directly from server headers and bodies, allowing a malicious server to inject arbitrary shell commands if the input is not properly escaped.
[PROMPT_INJECTION]: The skill exhibits a significant surface for indirect prompt injection as it processes data from remote servers that can influence agent behavior and CLI parameters.
Ingestion points: Data is ingested from WWW-Authenticate and PAYMENT-REQUIRED headers, as well as response bodies across SKILL.md, protocols/mpp.md, and protocols/x402.md.
Boundary markers: There are no defined delimiters or instructions to ignore instructions embedded within the payment challenges.
Capability inventory: The skill has access to high-privilege capabilities including wallet signing via TEE and local private keys, as well as network request replay.
Sanitization: No instructions are provided for sanitizing or validating the content of the challenges before they are interpolated into commands.

okx-x402-payment