opencli-social-platforms
Fail
Audited by Gen Agent Trust Hub on Mar 18, 2026
Risk Level: HIGHCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [DATA_EXFILTRATION]: The skill's core functionality involves reusing active Chrome browser login sessions to access private data across multiple platforms (Twitter, Bilibili, Reddit, etc.).
- Evidence: Documentation states it reuses "existing Chrome browser login sessions" to access history, bookmarks, timelines, and feeds.
- [COMMAND_EXECUTION]: The skill executes numerous shell commands via the
openclitool to perform both read and write operations on external platforms. - Evidence: Lists commands like
opencli twitter post,opencli weibo post, andopencli v2ex checkinwhich modify platform state. - [EXTERNAL_DOWNLOADS]: The skill requires the installation of a third-party global npm package and a specific Chrome extension to function.
- Evidence: Instructions require
npm install -g @jackwener/opencliand installation of the "Playwright MCP Bridge" extension from the Chrome Web Store. - [REMOTE_CODE_EXECUTION]: The installation process involves executing remote code from a registry via
npx. - Evidence:
claude mcp add playwright --scope user -- npx @playwright/mcp@latest. - [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection as it ingests large amounts of untrusted data from social media platforms (comments, posts, search results) which are then processed by the agent.
- Ingestion points: Twitter timelines, Reddit posts, YouTube search results, Bilibili feeds (SKILL.md).
- Boundary markers: None specified in the instructions.
- Capability inventory: Full command execution and platform write access (SKILL.md).
- Sanitization: No mention of content filtering or sanitization of ingested platform data.
Recommendations
- AI detected serious security threats
Audit Metadata