opencli-browser
Warn
Audited by Gen Agent Trust Hub on Apr 8, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill makes extensive use of the
openclicommand-line utility via theBashtool to perform browser automation, system diagnostics (opencli doctor), and script verification. - [DATA_EXFILTRATION]: The skill provides the agent with capabilities to access and extract sensitive information from the browser context. This includes monitoring and detailing network traffic (
opencli browser network), which can expose authentication headers and API responses, and accessing active login sessions via theStrategy.COOKIEmechanism. - [REMOTE_CODE_EXECUTION]: The skill implements a 'sedimentation' workflow where the agent is instructed to generate TypeScript code and write it to the local filesystem (
~/.opencli/clis/). This code is then executed using theopencli browser verifycommand. This dynamic script generation and execution pattern represents a significant capability for running arbitrary code created at runtime. - [PROMPT_INJECTION]: As a tool designed to ingest and process arbitrary web content, the skill is susceptible to indirect prompt injection.
- Ingestion points: Web content retrieved via
state,get text,eval, andnetworkcommands (SKILL.md). - Boundary markers: Absent; there are no specific instructions or delimiters provided to help the agent distinguish between its own instructions and content retrieved from websites.
- Capability inventory: The skill has access to shell command execution (
Bash), filesystem modification (Write,Edit), and network access (via the browser andfetchin adapters). - Sanitization: Absent; the skill does not define methods for sanitizing or escaping content retrieved from the web before the agent processes it or incorporates it into generated scripts.
Audit Metadata