opencli-oneshot
Fail
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: HIGHCREDENTIALS_UNSAFECOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill contains a hardcoded authentication token in the 'TS — Header' example (Authorization: Bearer AAAAAAAAAAAAAAAAAAAAANRILgAAAAA...). While potentially a public guest token, hardcoding such values is a poor security practice.
- [CREDENTIALS_UNSAFE]: The skill provides explicit instructions for extracting sensitive session identifiers from the browser environment, including the retrieval of session cookies (
document.cookie) and CSRF tokens (X-Csrf-Token). - [DATA_EXFILTRATION]: The skill automates the process of making authenticated network requests using
fetchwithcredentials: 'include'. This capability allows for the automated extraction of user-specific data from any website the user is currently logged into in the browser session. - [COMMAND_EXECUTION]: The workflow describes the generation of executable TypeScript and YAML files based on captured network traffic. These generated scripts are then executed locally via
npm run buildand theopenclicommand, representing a dynamic script generation and execution risk. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it ingests untrusted data from arbitrary URLs via
browser_navigateandbrowser_network_requests. This data is then used to construct executable adapters without evidence of sanitization or boundary markers. - Ingestion points: Network request logs and page content from external URLs (SKILL.md).
- Boundary markers: None identified.
- Capability inventory: File writing, browser evaluation, authenticated network requests, and local command execution.
- Sanitization: None identified; captured API data is interpolated directly into code templates.
Recommendations
- AI detected serious security threats
Audit Metadata