qiaomu-opencli-oneshot
Pass
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: SAFECREDENTIALS_UNSAFEDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [CREDENTIALS_UNSAFE]: The skill includes a hardcoded Bearer token in one of the templates. While this specific string is widely known as a public guest token for the Twitter/X API, hardcoding such values is a security anti-pattern and can lead to unintentional credential exposure if modified.
- [DATA_EXFILTRATION]: The provided instructions and templates guide the agent to extract sensitive session data, such as cookies and CSRF tokens, from a user's browser environment to be used in external network requests. This behavior is necessary for the skill's function but represents a data exposure risk.
- [COMMAND_EXECUTION]: The workflow involves generating local TypeScript files and executing them via shell commands using tools like npm and the opencli utility. This presents a risk if the generated code or arguments are influenced by malicious or unexpected external input.
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection as it ingests and processes data from arbitrary, untrusted URLs provided at runtime.
- Ingestion points: The process uses browser navigation and network request tools to retrieve content and API responses from external sites.
- Boundary markers: No specific delimiters or instructions are provided to the agent to distinguish between valid data and potentially malicious instructions embedded in the captured web data.
- Capability inventory: The skill utilizes browser evaluation, network fetching, and local file system writes, combined with shell command execution.
- Sanitization: The skill does not implement sanitization or validation of the data captured from external websites before using it to generate adapter code.
Audit Metadata