opper-node-agents
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- REMOTE_CODE_EXECUTION (HIGH): In
references/TOOLS.md, the skill provides an example of anevaluatetool that uses theFunction()constructor to execute a string (expression). This pattern allows an LLM to generate and execute arbitrary JavaScript code within the Node.js environment, presenting a severe risk if the agent's input or tool chain is compromised. - COMMAND_EXECUTION (HIGH): The MCP integration documented in
references/MCP.mdallows agents to execute arbitrary system commands via theMCPconfigfunction'scommandandargsparameters. Provided examples demonstrate usingnpxto download and run remote code (@modelcontextprotocol/server-filesystem) anddockerfor containerized execution. - DATA_EXFILTRATION (MEDIUM): The skill provides pre-configured patterns for deep filesystem and database access. While intended for utility, these tools allow an agent to read sensitive local files (e.g., via
server-filesystem) which can then be exfiltrated through standard LLM output or other network-enabled tools. - INDIRECT_PROMPT_INJECTION (LOW): The framework is designed to ingest and process untrusted external data which creates an injection surface.
- Ingestion points: Untrusted data enters the agent via
agent.run()input and tool outputs likefetch_urlorsearch_webdocumented inreferences/TOOLS.md. - Boundary markers: Examples lack explicit boundary markers or instructions to ignore embedded commands in tool outputs.
- Capability inventory: The agent has access to powerful capabilities including subprocess execution (
MCPconfig), filesystem reads, and dynamic JS execution. - Sanitization: No evidence of sanitization or escaping of external content before it is processed by the reasoning loop.
Recommendations
- AI detected serious security threats
Audit Metadata