The Agent Skills Directory

[REMOTE_CODE_EXECUTION]: The skill includes instructions for installation using npx @velinussage/locus-agent-skill add, which involves downloading and executing code from a remote package registry. While the package belongs to the skill author, this pattern represents runtime remote code execution.
[CREDENTIALS_UNSAFE]: The skill documentation details a payment flow (x402) requiring the agent to sign EIP-3009 USDC authorizations and transmit them via the X-PAYMENT header to the Locus API. Instructing an agent to handle and transmit signed financial authorizations represents a significant security risk for credential handling and potential misuse.
[EXTERNAL_DOWNLOADS]: The skill fetches tool schemas, catalogs, and geographic data from several external endpoints including api.locus.report, mcp.locus.report, and github.com/velinussage/locus.
[COMMAND_EXECUTION]: The skill requests access to the Bash tool and provides shell command examples for interacting with the Locus API using curl. This allows the agent to execute network-active commands on the host environment.
[PROMPT_INJECTION]: The skill contains instructions that attempt to enforce specific response behaviors, such as "Do not score, rank, predict, screen, value, or label a person, property, block, or neighborhood as safe/unsafe." These guidelines are meant to restrict the agent's evaluative capabilities based on the data it retrieves from external sources.

locus-agent-tools