opencontext
Warn
Audited by Gen Agent Trust Hub on Mar 11, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs users to install a global CLI package (
@aicontextlab/cli) from npm and points to external software releases on GitHub (0xranx/OpenContext). These sources are not recognized as trusted organizations or well-known services, posing a risk of untrusted code execution. - [COMMAND_EXECUTION]: To function, the skill relies on the
Bashtool to execute commands through theocCLI. This allows the skill to interact with the local filesystem, manage a local database (~/.opencontext/opencontext.db), and communicate with embedding APIs, which could be leveraged for unauthorized actions if the CLI tool is compromised. - [PROMPT_INJECTION]: The skill exhibits a high surface area for indirect prompt injection (Category 8).
- Ingestion points: Data enters the agent's context through
oc_search,oc_manifest, and documents stored in~/.opencontext/contexts. - Boundary markers: There are no explicit instructions or delimiters mentioned in the skill to treat retrieved context as untrusted data or to ignore embedded instructions.
- Capability inventory: The skill possesses significant capabilities including
Bashcommand execution andWritefile access. - Sanitization: No evidence of sanitization or validation of the retrieved content is provided. If a stored document contains malicious instructions, the agent may execute them with the privileges assigned to the skill.
Audit Metadata