FXAI

The skill bundle requires the AI agent to execute local Node.js scripts and manage a blockchain `PRIVATE_KEY`, which are high-risk capabilities. Specifically, `scripts/upload-token-meta.js` reads a local file and uploads it to an external endpoint (https://funcs.flap.sh/api/upload); while intended for token metadata, this creates a path traversal vulnerability where a prompt injection could trick the agent into exfiltrating sensitive files (e.g., SSH keys or environment files) by passing their paths as the image argument. Although the behavior aligns with the stated purpose of token creation, the combination of local script execution and file uploading poses a significant security risk.