opencli-repair
Pass
Audited by Gen Agent Trust Hub on Apr 5, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted data from external websites to determine how to patch local code. An attacker could embed malicious instructions within a website's DOM or API responses to influence the agent's logic during the diagnostic and patching process.
- Ingestion points: Processes data from 'diagnostic.json' (including 'snapshot' and 'networkRequests' fields) and output from 'opencli operate state'.
- Boundary markers: Employs 'OPENCLI_DIAGNOSTIC' markers to identify diagnostic data, but lacks instructions to treat the ingested content as untrusted or non-instructional.
- Capability inventory: The agent uses 'Edit' and 'Write' to modify local adapter source code and 'Bash(opencli:*)' to execute code, creating a mechanism where malicious instructions in web data could lead to unauthorized code modification.
- Sanitization: No evidence of sanitization or content filtering for the ingested web data is present.
- [COMMAND_EXECUTION]: The skill utilizes the 'Bash' tool to run 'opencli' commands for diagnostics and for testing patched adapters. While scoped to the 'opencli' binary, this involves executing code that the agent has modified based on external inputs.
Audit Metadata