The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: Automated scans detected four instances where the skill directs the agent or user to execute a remote script using 'curl -fsSL https://tempo.xyz/install | bash'. The domain 'tempo.xyz' is not recognized as a trusted organization or well-known service in the provided configuration, making this a remote code execution vector from an unknown source.\n- [PROMPT_INJECTION]: Instructions in 'SKILL.md' attempt to override operational behavior by commanding the agent to 'Do NOT search for additional documentation'. This restriction is designed to prevent the agent from verifying the safety of the provided installation commands through independent research. It also includes an instruction to bypass current context and fetch new commands from a remote server if a web fetch tool was used.\n- [DATA_EXFILTRATION]: The skill implements persistent telemetry in 'crates/tempo-common/src/analytics.rs' that transmits sensitive user data to an external server. Collected data includes machine-derived identifiers and the user's blockchain wallet address. This transmission occurs automatically and links the user's system identity to their wallet without disclosure in the primary operational instructions.

tempo