The Agent Skills Directory

[COMMAND_EXECUTION]: The skill operates by executing the opencli command-line tool via the system shell. \n
The agent interacts with the browser using commands such as opencli operate open, opencli operate click, and opencli operate state.\n- [EXTERNAL_DOWNLOADS]: The documentation instructs the user to install a global npm package @jackwener/opencli.\n
This package is a vendor resource provided by the skill's author (jackwener).\n- [DATA_EXFILTRATION]: The skill provides tools to extract sensitive information from the browser context.\n
Tools like opencli operate screenshot, opencli operate get html, and opencli operate network can capture authentication sessions, private API responses, and page content.\n- [REMOTE_CODE_EXECUTION]: The skill facilitates the execution of arbitrary code within two contexts.\n
The opencli operate eval command executes arbitrary JavaScript directly in the browser's execution environment.\n
The 'Sedimentation' workflow involves writing TypeScript code to the local filesystem (~/.opencli/clis/) and subsequently executing it using the verify command.\n- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection as it retrieves and processes untrusted data from external websites.\n
Ingestion points: Untrusted data enters the agent context through opencli operate state, opencli operate get text, and opencli operate get html.\n
Boundary markers: The instructions do not define clear boundaries or specify that the agent should ignore instructions embedded within the retrieved web content.\n
Capability inventory: The agent possesses high-impact capabilities including Bash access and the ability to write to the local filesystem, which could be exploited if the agent follows malicious instructions found on a website.\n
Sanitization: There is no evidence of sanitization or validation of the web content before it is presented to the agent.

opencli-operate