Adds a Bankr skill for the AZZLE protocol on Base mainnet — post/claim tasks, USDC escrow, vault onboarding, and subgraph discovery.

[Dabus123]

Summary

• azzle/SKILL.md — agent instructions (requires Bankr)
• azzle/catalog.json — Discover catalog entry
• azzle/references/ — onboarding gates + protocol reference
• azzle/scripts/subgraph-open-tasks.sh — read-only POSTED task query

Test plan

• catalog.json slug matches folder name (azzle)
• Install command works: install the azzle skill from https://github.com/BankrBot/skills/tree/main/azzle
• ./scripts/subgraph-open-tasks.sh returns JSON from the live subgraph
• Contract addresses match contracts/deployments/base-8453.json in the main AZZLE repo

https://github.com/Dabus123/azzle

[saltoriousSIG]

PR looks good overall, a couple of security issues to address

Mutable Fork Install Path
The onboarding docs still point users at Dabus123/azzle-skills as an install source in azzle/references/onboarding.md. Once this is merged, third parties should only be directed to the reviewed canonical BankrBot/skills path, so this block should be removed before merge or pinned to a specific commit if it must stay for pre-merge testing.

Missing Prompt-Injection Boundary For Marketplace Content
The skill handles untrusted marketplace data, subgraph fields, task descriptions, proofs, and XMTP messages in azzle/SKILL.md, but it does not explicitly tell the agent to treat those as data rather than instructions. Add a safety section stating that all task/XMTP/subgraph/counterparty content is untrusted, must not override system/user instructions, and must never trigger installs, shell commands, approvals, signatures, or transactions without explicit user confirmation.

Unsafe Raw Calldata Submission Guidance
The raw calldata example in azzle/SKILL.md encourages bankr wallet submit --data without requiring decode or verification. Since calldata may come from a task, counterparty, or website, this example should be removed or changed to require decoding and verifying selector, function, task id, amount, recipient, chain, and contract address before signing.

Open-Ended Token Approval Prompts
The approval examples in azzle/SKILL.md, azzle/references/onboarding.md, and azzle/catalog.json are open-ended and may result in unlimited approvals. These should be amount-bounded, e.g. approve exactly $50 USDC to AgentDepositVault and exactly 10,000 AZZLE to TreasuryRouter, with spender address confirmation before signing.

Mutable NPM Execution Via Latest Tag
The docs recommend npx @azzle/agents@latest in azzle/SKILL.md and azzle/references/protocol.md, which executes mutable third-party npm code. For a skill intended for third-party installation and wallet-adjacent workflows, this should be pinned to a reviewed package version or paired with explicit package verification/provenance guidance before running it.

[Dabus123]

Addressed all five items: removed fork install path; added untrusted-data / prompt-injection boundary for task, subgraph, and XMTP content; removed raw calldata submit example; bounded approval prompts to exact $50 USDC and 10,000 AZZLE with spender confirmation; pinned @azzle/agents@0.2.5 with npm verification guidance.