opencontext
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFEPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the global installation of the @aicontextlab/cli package from NPM, which is an external dependency not associated with a trusted vendor or the skill author's verified resource patterns.
- [COMMAND_EXECUTION]: The skill utilizes the Bash tool to execute system commands like 'oc init' and 'oc index build'. Furthermore, it modifies configuration files for AI editors (e.g., ~/.cursor/mcp.json,
/.claude/mcp.json) and installs slash commands in user directories (/.cursor/commands, ~/.claude/commands), which acts as a persistence mechanism. - [CREDENTIALS_UNSAFE]: The skill provides instructions and commands to handle sensitive API keys (EMBEDDING_API_KEY) and store them in its local configuration file (~/.opencontext/opencontext.db).
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection because it ingests external document content and provides it as context to the agent.
- Ingestion points: Document files retrieved from ~/.opencontext/contexts or local repositories through tools like 'oc_search' and 'oc_manifest'.
- Boundary markers: No explicit boundary markers or instructions (such as 'ignore embedded commands') are used when the agent reads the retrieved context.
- Capability inventory: The skill allows access to powerful tools including Bash, Write, and Read, which could be exploited if the agent follows malicious instructions hidden in the context.
- Sanitization: There is no evidence of sanitization, validation, or escaping of the document content before it is interpolated into the agent's prompt context.
Audit Metadata