The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The script scripts/tf_comparison_chart.py uses pickle.load() to deserialize results from /tmp/tf_results.pkl. Deserializing untrusted data with the pickle module is unsafe as it allows for arbitrary code execution. Although the file is intended to be generated by a companion script, using temporary storage for serialized objects is a risk vector.\n- [COMMAND_EXECUTION]: The setup script scripts/setup_alert.py uses subprocess.run() to execute the signal_monitor.py script as a test. This represents a capability to execute shell commands and launch subprocesses within the agent's environment during the installation process.\n- [EXTERNAL_DOWNLOADS]: Multiple scripts, including scripts/signal_monitor.py and various backtest utilities, perform HTTP POST requests to the Hyperliquid API (https://api.hyperliquid.xyz/info) to retrieve market candle data required for the strategy.\n- [PROMPT_INJECTION]: The skill exhibits an attack surface for indirect prompt injection by processing external data. Ingestion point: api.hyperliquid.xyz market data in scripts/signal_monitor.py. Boundary markers: None present. Capability inventory: File system writes and task registration in scripts/setup_alert.py, command execution via subprocess.run, and unsafe deserialization via pickle.load. Sanitization: The data is converted from JSON to numerical pandas DataFrames.

@2405/sol-scalper