The Agent Skills Directory

[CREDENTIALS_UNSAFE]: The skill generates a local Ethereum wallet during the setup phase and stores the private key in plain text within a JSON file at state/wallet.local.json. While the code attempts to set restrictive file permissions (chmod 600), storing unencrypted keys on disk is a high-risk practice.
[COMMAND_EXECUTION]: The scripts/run_agent_server.py utility starts an unauthenticated HTTP server that can be used to remotely trigger the trading logic. The server binds to 0.0.0.0 by default, exposing the execution endpoint to the entire local network, which could allow unauthorized users to trigger financial transactions.
[DATA_EXFILTRATION]: The skill transmits detailed trading records, configuration data, and account positions to a remote PostgreSQL database specified by the SERENDB_URL environment variable. This is intended for the vendor's reporting platform but involves sending sensitive activity data externally.
[PROMPT_INJECTION]: The skill processes data from the Curve Finance API (/getGauges) to determine trade targets, which presents an indirect injection surface if the external API is compromised.
Ingestion points: Data is fetched in scripts/agent.py via the fetch_top_gauges function.
Boundary markers: The skill includes explicit pre-flight checks for credentials and RPC connectivity before execution.
Capability inventory: The agent can sign and broadcast transactions to various EVM-compatible blockchains.
Sanitization: The skill validates Ethereum addresses using regular expression patterns before incorporating them into transaction data.

curve-gauge-yield-trader