opper-node-sdk
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFEEXTERNAL_DOWNLOADS
Full Analysis
- External Downloads (LOW): The skill requires the installation of the
opperainpm package. While this is the primary purpose of the skill, the package source is not on the pre-defined trusted list. - Network Operations (LOW): The SDK performs network requests to
opper.aidomains and uses dynamically generated URLs for file uploads. This is required for functionality but involves communication with non-whitelisted domains. - Indirect Prompt Injection (LOW): The RAG (Retrieval-Augmented Generation) patterns described in the documentation ingest untrusted data from a knowledge base and interpolate it into prompts.
- Ingestion points:
references/KNOWLEDGE.md(viaopper.knowledge.queryresults). - Boundary markers: Examples use simple string prefixes (e.g.,
Context:) rather than robust delimiters or structural markers. - Capability inventory: The SDK can execute LLM calls, manage server-side functions, and perform file uploads.
- Sanitization: Documentation examples do not demonstrate sanitization or validation of the retrieved context before it is passed to the LLM.
Audit Metadata