oracle
Pass
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill metadata specifies the installation of the
@steipete/oraclepackage from the npm registry. This is a third-party dependency maintained by a well-known developer. - [REMOTE_CODE_EXECUTION]: The documentation recommends using
npx -y @steipete/oracle --help, which downloads and executes the package from the npm registry. This is a standard remote code execution pattern for Node.js utilities. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8) because its primary function is to ingest local files and provide them as context to an LLM.
- Ingestion points: Local files, directories, and globs specified via the
--fileflag as described inSKILL.md. - Boundary markers: No explicit delimiters or 'ignore' instructions are documented to distinguish between file content and the system prompt in the bundled payload.
- Capability inventory: The tool processes local file content and transmits it to external LLM providers (OpenAI, Gemini) via browser automation or API keys, and can be used to serve a remote browser host.
- Sanitization: The skill advises users to redact secrets manually but does not mention automated sanitization or verification of the content being attached.
- [METADATA_POISONING]: The skill documentation repeatedly mentions a non-existent 'GPT-5.2 Pro' model and engine. While likely a placeholder or custom configuration name used by the tool author, this information is factually inaccurate relative to current LLM releases.
Audit Metadata