qiaomu-opencli-usage
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the installation of a global NPM package
@jackwener/opencliand a custom Chrome extension to function. It also supports dynamic installation of additional CLI tools likegh,vercel, anddockervia theopencli installcommand. - [COMMAND_EXECUTION]: The skill makes extensive use of the
openclicommand to perform actions on websites and desktop apps. It also executesnpm install,npx tsx, andnpm updatecommands. - [DATA_EXFILTRATION]: The skill is designed to access and read private data from sessions where the user is already logged in. Commands like
opencli ones token-info,opencli twitter bookmarks,opencli facebook friends, andopencli quark lsaccess session tokens, private messages, and file structures. This creates a high surface area for potential data exposure to the agent's context. - [REMOTE_CODE_EXECUTION]: The skill implements a 'Self-Repair' feature (via
opencli-autofix) that instructs the agent to modify the source code of adapters atRepairContext.adapter.sourcePathand re-execute them. This facilitates the generation and execution of dynamic code at runtime. - [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests untrusted content from platforms like Reddit, Twitter, and general websites (
opencli web read). - Ingestion points: Data enters the context via website adapters in
SKILL.md(e.g.,bilibili,twitter,reddit,web read). - Boundary markers: None identified in the provided instructions to separate untrusted web content from agent instructions.
- Capability inventory: The skill has destructive and communicative capabilities including
twitter delete,quark rm,douyin publish, andboss send. - Sanitization: No sanitization or validation of the ingested external content is mentioned.
Audit Metadata