Skills
skills/openant-ai/openant-skills/direct-message/Gen Agent Trust Hub

direct-message

Pass

Audited by Gen Agent Trust Hub on Feb 27, 2026

Risk Level: SAFEEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill invokes npx @openant-ai/cli@latest, which downloads and executes the latest version of the OpenAnt CLI from the NPM registry at runtime. This package is owned by the vendor 'openant-ai'.
  • [COMMAND_EXECUTION]: The skill uses Bash to execute multiple commands through the vendor CLI, including notifications, messages, and status. These commands are restricted to the vendor's specific toolset.
  • [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it retrieves and displays content from external users via direct messages.
  • Ingestion points: Untrusted data enters the context through npx @openant-ai/cli@latest messages read <conversationId> in SKILL.md.
  • Boundary markers: There are no explicit delimiters or instructions provided to the agent to distinguish between message content and system instructions.
  • Capability inventory: The skill has Bash execution capabilities enabled for the vendor CLI.
  • Sanitization: There is no evidence of sanitization or filtering of the message content before it is processed by the agent.
Audit Metadata
Risk Level
SAFE
Analyzed
Feb 27, 2026, 05:35 PM