openhue
Pass
Audited by Gen Agent Trust Hub on Mar 14, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill configuration specifies the installation of the
openhue-clitool via Homebrew from theopenhue/cli/openhue-clirepository tap. - [COMMAND_EXECUTION]: The skill executes shell commands using the
openhuebinary (SKILL.md) to communicate with and control Philips Hue Bridge hardware on the local network. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes untrusted user data without sufficient safeguards.
- Ingestion points: User-provided light, room, and scene names are used directly in command arguments in SKILL.md.
- Boundary markers: There are no markers or instructions to isolate user input from the rest of the command string.
- Capability inventory: The skill possesses the capability to execute shell commands with the
openhuebinary as seen in SKILL.md. - Sanitization: No input validation or escaping is applied to ensure that user-provided names do not contain shell metacharacters or additional commands.
Audit Metadata