The Agent Skills Directory

[COMMAND_EXECUTION]: Step 2 executes a shell command npx neural-trader --predict --signal "$SIGNAL_ID" --explain --json. The variable $SIGNAL_ID is sourced from the signalId argument provided by the user. If this input is not strictly validated to be alphanumeric, an attacker can perform command injection (e.g., by passing ; curl ...) to execute arbitrary code in the host environment.
[CREDENTIALS_UNSAFE]: Step 6 specifies a workflow to resolve a private signing key from the local filesystem at verification/witness-key.json or via the RUFLO_WITNESS_KEY_PATH environment variable. Accessing raw private keys (Ed25519) directly within a skill's logic increases the risk of credential exposure if the skill's execution context is compromised.
[PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection (Category 8) as it ingests and processes untrusted data from the trading-signals memory namespace.
Ingestion points: Step 1 retrieves signal data including modelId, prediction, and features from the trading-signals namespace.
Boundary markers: No delimiters or instructions are used to distinguish between system instructions and data retrieved from memory.
Capability inventory: The skill possesses significant capabilities including shell command execution (bash in Step 2) and persistence to long-lived memory (mcp__claude-flow__memory_store in Step 7).
Sanitization: There is no evidence of sanitization or escaping for the features metadata or SIGNAL_ID before they are interpolated into the final markdown report or the bash command line.
[EXTERNAL_DOWNLOADS]: The skill uses npx neural-trader, which downloads and executes the neural-trader package from the npm registry at runtime. While this appears to be a resource associated with the author's ecosystem (ruvnet/ruflo), it represents an external dependency download.

trader-explain