Skills
skills/jackwener/opencli/opencli-usage/Gen Agent Trust Hub

opencli-usage

Fail

Audited by Gen Agent Trust Hub on Apr 2, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill requires the installation of the @jackwener/opencli package from npm and a 'Browser Bridge' Chrome extension. These components are necessary for the tool to function but introduce external code into the user's environment.
  • [COMMAND_EXECUTION]: The tool provides an opencli install <name> command specifically designed to 'Auto-install an external CLI'. This allows for the dynamic installation and potential execution of arbitrary external software (e.g., GitHub CLI, Obsidian) based on the provided name.
  • [DATA_EXFILTRATION]: The skill documents extensive capabilities for reading sensitive, authenticated data from dozens of platforms where the user is already logged in, including:
  • Social Media: Twitter bookmarks, DM requests, and threads; Facebook friends and notifications; Instagram profiles and saved posts.
  • Professional/Private: LinkedIn searches, Notion page content and favorites, Discord messages and member lists, and BOSS recruitment data.
  • Financial: Stock portfolios and holdings from Xueqiu and Barchart.
  • [REMOTE_CODE_EXECUTION]: The tool includes an advanced 'AI Agent Workflow' featuring explore, synthesize, and record commands. These commands dynamically generate and execute YAML-based interaction logic (e.g., evaluate-based YAML pipelines) to capture API calls and manipulate the DOM of websites.
  • [PROMPT_INJECTION]: The skill possesses a large attack surface for Indirect Prompt Injection. It is designed to ingest untrusted data from the public web (via web read, search, and feed commands) and return that content to the agent. This content could contain malicious instructions that influence the agent to use the tool's 'write' capabilities (e.g., twitter post, boss send, facebook add-friend) for unauthorized actions.
  • Ingestion points: Commands like opencli web read --url, opencli twitter search, and opencli reddit read fetch external, untrusted content.
  • Boundary markers: The documentation does not mention the use of delimiters or warnings to ignore instructions within the fetched data.
  • Capability inventory: The tool has broad capabilities including file system writes (record --out), network requests, and interaction with local applications (Cursor, Discord, Notion).
  • Sanitization: There is no indication that external content is sanitized before being processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
Apr 2, 2026, 05:51 AM