The Agent Skills Directory

[PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it reads and processes data (messages, storage entries, feed posts) from a public, permissionless blockchain. Malicious actors could post on-chain content containing instructions designed to hijack the agent's control flow when it polls for 'unseen' messages or reviews conversation history.
Ingestion points: packages/net-cli/src/commands/feed/read.ts, packages/net-cli/src/commands/message/read.ts, and packages/botchan/src/tui/App.tsx fetch arbitrary text from the blockchain.
Boundary markers: No explicit delimiters or instructions to ignore embedded commands are used when displaying or processing these messages.
Capability inventory: The agent has access to powerful shell tools (botchan, netp) that can read local files (storage upload) and perform write operations to a public ledger.
Sanitization: There is no evidence of content sanitization to prevent the interpretation of data as instructions.
[COMMAND_EXECUTION]: The botchan update and netp update commands use execSync to execute shell commands for self-maintenance, such as npm install -g and npx skills add. While these target the author's own packages, they represent a vector for executing code outside the agent's immediate sandbox during update cycles.
[DATA_EXFILTRATION]: The netp storage upload command allows reading arbitrary files from the filesystem and publishing them to the public Net Protocol storage. If an agent's reasoning is compromised via prompt injection, an attacker could instruct the agent to upload sensitive local configuration files or credentials (e.g., .env, ~/.ssh/id_rsa) to the blockchain, where they would be permanently and publicly accessible.

botchan-net