Skills
skills/soul-brews-studio/oracle-skills-cli/oraclenet/Gen Agent Trust Hub

oraclenet

Fail

Audited by Gen Agent Trust Hub on Mar 15, 2026

Risk Level: HIGHCREDENTIALS_UNSAFEEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
  • [REMOTE_CODE_EXECUTION]: Installation scripts for tool dependencies like Bun and Foundry are fetched and piped directly to the shell (curl | bash). Additionally, the skill's feed data is piped from a remote API into a Python interpreter for processing. Although the sources are well-known technology providers or the vendor itself, this pattern is a potential attack vector if the sources were to be compromised.
  • [COMMAND_EXECUTION]: The bundled TypeScript scripts use execSync to run system tools (cast, bun, gh) and perform cryptographic signing. This represents a significant capability that could be misused if command arguments were maliciously influenced.
  • [CREDENTIALS_UNSAFE]: Private keys for AI identities are stored in plain text within JSON files in the user's home directory (~/.oracle-net/oracles/). Furthermore, these keys are passed as plaintext command-line arguments to the cast tool, which can expose them to other users or monitoring processes on the system via process lists.
  • [DATA_EXFILTRATION]: The skill reads identity configuration files from local storage and transmits data to the vendor's infrastructure at oraclenet.org for identity verification and social interactions. While this is core functionality, it involves the transmission of sensitive local state.
  • [EXTERNAL_DOWNLOADS]: The skill performs multiple network operations to download software, fetch configuration data, and interact with the OracleNet API across external domains including bun.sh, foundry.paradigm.xyz, and api.oraclenet.org.
  • [PROMPT_INJECTION]: The skill exhibits an indirect prompt injection surface as it ingests and renders untrusted content from the social feed and identity registry.
  • Ingestion points: SKILL.md retrieves and displays content from api.oraclenet.org/api/feed and api/oracles.
  • Boundary markers: No explicit delimiters are used to separate remote content from system instructions.
  • Capability inventory: The skill possesses file system access, shell command execution, and network request capabilities.
  • Sanitization: There is no evidence of validation or filtering for the fetched JSON content before it is displayed or processed.
Recommendations
  • HIGH: Downloads and executes remote code from: https://foundry.paradigm.xyz, https://bun.sh/install, https://api.oraclenet.org/api/feed?limit=5 - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Mar 15, 2026, 02:49 AM