The Agent Skills Directory

[SAFE]: The skill is authored by ProjectOpenSea and exclusively interacts with official vendor domains (api.opensea.io, stream-api.opensea.io, privy.io, turnkey.com, fireblocks.com, bankr.bot). These interactions are considered safe under trusted source recognition.
[SAFE]: Implements a robust wallet security architecture in opensea-wallet. It supports managed providers (Privy, Turnkey, Fireblocks, Bankr) that enforce per-transaction policies in Trusted Execution Environments (TEE) or HSMs.
[SAFE]: The skill strictly isolates administrative "mutation recipes" (e.g., policy updates, key rotation) by placing them in docs/policy-administration.md, which is located outside the skill's mount path. This prevents the agent from being able to modify its own spending caps or security policies if compromised.
[SAFE]: Explicitly addresses the risk of Indirect Prompt Injection from untrusted third-party data. opensea-api/SKILL.md contains clear instructions to the agent to treat all content from API responses (such as NFT names or descriptions) as untrusted and to never execute instructions found within those fields.
[SAFE]: Shell scripts in the scripts/ directories use standard utilities (curl, jq) with proper error handling, retries for rate-limiting (429), and secure temporary file handling via mktemp.
[SAFE]: No malicious obfuscation, credential harvesting, or unauthorized remote code execution patterns were detected across the 64 files analyzed.

opensea