opencli
Warn
Audited by Gen Agent Trust Hub on Mar 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires installation of the
@jackwener/opencliNPM package and the 'Playwright MCP Bridge' Chrome extension, which originate from third-party sources outside of established trusted organizations. - [COMMAND_EXECUTION]: The skill operates by executing shell commands via the
openclibinary and theplaywrightMCP server to interact with target websites. - [REMOTE_CODE_EXECUTION]: The 'Self-iteration' capability instructs the agent to create new adapters by writing YAML files to
~/.opencli/clis/. These files contain arbitrary JavaScript code withinevaluateblocks that the tool subsequently executes, enabling dynamic code execution. - [DATA_EXFILTRATION]: The skill is designed to access sensitive personal data across multiple platforms, including private history, bookmarks, and potentially messages (via Playwright fallback), by leveraging the user's authenticated browser sessions.
- [PROMPT_INJECTION]: The skill processes untrusted content from social media platforms and search results, presenting a surface for indirect prompt injection attacks.
- Ingestion points: Data retrieved from external sites via
opencliand Playwright snapshots. - Boundary markers: None are specified in the instructions to protect against instructions embedded in the ingested data.
- Capability inventory: Shell command execution, local file modification, and browser automation.
- Sanitization: No sanitization of ingested content is defined before it is processed by the agent.
Audit Metadata