ask-opencli
Warn
Audited by Gen Agent Trust Hub on Apr 9, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install an unverified third-party NPM package
@jackwener/opencliand a Chrome browser extension from a non-standard source. These components are required to bridge the AI agent with the user's active browser sessions. - [COMMAND_EXECUTION]: The skill interpolates user-provided input directly into shell commands (e.g.,
opencli ... ask "{{PROMPT}}"). This presents a significant command injection risk if the agent does not properly escape shell metacharacters (like;,&&, or$()) within the prompt. - [COMMAND_EXECUTION]: Instructs the agent to perform persistence-like modifications by adding environment variables to the user's shell configuration file (
~/.zshrc). - [DATA_EXFILTRATION]: Because the tool drives a live browser session logged into services like Google and X (Grok), it has inherent access to sensitive session cookies and private account data. Using unverified third-party software to manage these sessions creates a path for potential credential or data exfiltration.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection. It ingests untrusted data from external AI models and writes it to local markdown artifacts without sanitization or explicit boundary markers.
- Ingestion points: External responses from Grok/Gemini via the
openclitool. - Boundary markers: None implemented in the provided command templates or instructions.
- Capability inventory: The skill has the ability to execute shell commands (
opencli) and write files (.omx/artifacts/). - Sanitization: No evidence of output validation or escaping before data is processed or stored.
Audit Metadata