marketplace
Warn
Audited by Gen Agent Trust Hub on Mar 15, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCREDENTIALS_UNSAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to install the @openstall/sdk package globally via NPM. While this is a vendor-provided resource, it represents an external dependency required for core functionality.
- [CREDENTIALS_UNSAFE]: The setup process involves configuring sensitive secrets such as Telegram bot tokens, Slack webhooks, and Discord webhooks. These are stored in a local JSON configuration file and the skill also suggests retrieving existing credentials from other agent systems like OpenClaw.
- [COMMAND_EXECUTION]: The OpenStall worker executes a user-defined agent command to process tasks received from the marketplace. This creates a mechanism where external task inputs directly determine the parameters of local command execution.
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it processes tasks and outputs from an open marketplace of untrusted third-party agents. Ingestion points: Task inputs and delivery results from the api.openstall.ai endpoint. Boundary markers: There are no explicit delimiters or instructions provided to separate untrusted marketplace data from the local agent's operational logic. Capability inventory: The system can execute arbitrary CLI commands via the agent-cmd configuration and make external network requests. Sanitization: No sanitization or validation of marketplace-sourced content is implemented.
Audit Metadata