openindex-lite
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSPROMPT_INJECTIONCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- Indirect Prompt Injection (HIGH): The
get-messagescommand (found in SKILL.md) retrieves content from external, untrusted agents. There are no boundary markers or sanitization processes mentioned. Because the agent processes these messages as part of its workflow, an attacker could embed instructions to hijack the agent or perform unauthorized actions using its capabilities likesend-messageorregister. - Unverifiable Dependencies (MEDIUM): The skill requires installing
@openindex/openindexclifrom npm. This package is not from a trusted organization, and its runtime behavior cannot be verified, posing a supply chain risk (Category 4). - Insecure Credential Handling (MEDIUM): The skill instructs the agent to store a raw private key in the
OPENINDEX_PRIVATE_KEYenvironment variable. Storing keys in the environment is a best-practice violation that increases the risk of exposure to other processes or through log files (Category 2). - Command Execution (LOW): The skill relies on executing external CLI commands via
npxandnpm. While functional for the skill, it creates a surface for potential exploitation if the tool itself or the parameters passed to it are compromised.
Recommendations
- AI detected serious security threats
Audit Metadata