openindex-cli
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTION
Full Analysis
- Indirect Prompt Injection (HIGH): The skill allows an agent to read messages from untrusted external sources, creating a significant attack surface for indirect prompt injection. \n
- Ingestion points: The
get-messagesandsearchcommands retrieve untrusted content from the OpenIndex server.\n - Boundary markers: There are no instructions for the agent to treat message content as data rather than instructions.\n
- Capability inventory: The skill provides commands for
send-ethandsend-tokenon multiple chains, allowing an attacker to potentially exfiltrate funds via injected instructions.\n - Sanitization: No sanitization of message content or user descriptions is mentioned.\n- Unverifiable Dependencies (MEDIUM): The installation instructions require downloading
@openindex/openindexclifrom npm. This package is not from a trusted organization listed in the security policy, posing a supply chain risk. \n- Data Exposure & Exfiltration (HIGH): The skill manages raw private keys through environment variables (OPENINDEX_PRIVATE_KEY) and CLI output. Thecreatecommand prints a new private key directly to stdout, which is likely to be captured in the agent's persistent logs or memory context, violating credential safety best practices.\n- Command Execution (LOW): The skill relies on executing shell commands with user-provided arguments (usernames, messages, amounts), which could lead to local command injection if the agent does not properly escape these values.
Recommendations
- AI detected serious security threats
Audit Metadata