omnisearch
Fail
Audited by Gen Agent Trust Hub on Feb 16, 2026
Risk Level: HIGHPROMPT_INJECTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- PROMPT_INJECTION (HIGH): The skill metadata and body use coercive language designed to override the agent's internal logic and safety guidelines. Phrases like 'MANDATORY web search tool', 'THE ONLY way to search', 'CRITICAL: When to Use This Skill', and 'ALWAYS run the search immediately... don't ask permission' are classic injection patterns used to hijack agent behavior.
- INDIRECT PROMPT_INJECTION (HIGH): The skill creates a high-risk attack surface by processing untrusted data from external search providers.
- Ingestion point: Output from
./scripts/omnisearch.shand various web providers (Perplexity, Brave, etc.). - Boundary markers: Entirely absent. There are no instructions to the agent to treat search results as untrusted or to ignore instructions embedded within the results.
- Capability inventory: The agent is explicitly authorized to execute shell scripts (
./scripts/omnisearch.sh) and usemcportertools. - Sanitization: Absent. The agent is instructed to 'synthesize and answer', which encourages the processing of malicious payloads embedded in web content.
- COMMAND_EXECUTION (MEDIUM): The skill relies on the execution of a local shell script. The instructions specifically guide the agent to perform
chmod +x ./scripts/omnisearch.shif it fails, which is a pattern associated with privilege escalation on local files. - DATA_EXFILTRATION (MEDIUM): While expected for a search tool, the instructions force the agent to send queries to third-party providers. If a user's prompt contains sensitive data, this skill ensures that data is sent to external APIs (Perplexity, Kagi, etc.) without an explicit filter or user confirmation step.
Recommendations
- AI detected serious security threats
Audit Metadata