qiaomu-opencli-usage
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONEXTERNAL_DOWNLOADSDATA_EXFILTRATIONPROMPT_INJECTIONREMOTE_CODE_EXECUTION
Full Analysis
- [COMMAND_EXECUTION]: The skill facilitates the execution of the
openclicommand and various passthrough commands to external tools likegh,docker, andvercel. It also allows for the registration and execution of local custom CLI tools. - [EXTERNAL_DOWNLOADS]: The skill promotes the installation of the
@jackwener/openclinpm package and provides an internal command (opencli install) to download and install additional third-party CLI tools. - [DATA_EXFILTRATION]: The skill provides capabilities to read highly sensitive information from logged-in user accounts across nearly 80 platforms, including private messages, browsing history, and personal profiles. While no direct exfiltration is observed, the extensive data access poses a significant risk if the agent is compromised.
- [PROMPT_INJECTION]: The skill is highly susceptible to indirect prompt injection due to the ingestion of content from numerous external websites and applications.
- Ingestion points: Content is retrieved through commands like
web read,youtube transcript, and various site-specificsearchandreadcommands. - Boundary markers: There are no specified delimiters or instructions to ignore malicious instructions embedded in the retrieved data.
- Capability inventory: The agent can perform actions like posting to social media, sending messages, and executing system commands via passthrough CLIs.
- Sanitization: The documentation does not mention any sanitization or validation of data retrieved from external sources.
- [REMOTE_CODE_EXECUTION]: The 'Self-Repair' feature encourages the agent to modify the tool's TypeScript source code and retry execution, which is a form of self-modifying code behavior.
Audit Metadata