orca-cli
Pass
Audited by Gen Agent Trust Hub on Apr 21, 2026
Risk Level: SAFEPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from external sources.
- Ingestion points: Untrusted data enters the context via
orca terminal read(reading shell outputs) andorca snapshot(reading accessibility trees and text from arbitrary websites). - Boundary markers: The skill instructions do not specify any delimiters or safety warnings to help the agent distinguish between its instructions and the data being processed.
- Capability inventory: The skill possesses powerful capabilities including sending commands to live terminals (
orca terminal send), managing file system worktrees (orca worktree create/rm), and full browser control (orca click,orca fill,orca eval). - Sanitization: No evidence of sanitization or validation of the external content before it is processed by the agent.
- [COMMAND_EXECUTION]: The skill provides tools for interacting with shell terminals via
orca terminal send, which allows the agent to execute arbitrary commands in the environment where Orca is running. - [REMOTE_CODE_EXECUTION]: The skill includes an
orca evalcommand that allows the execution of arbitrary JavaScript within the browser context, representing a dynamic execution vector. - [DATA_EXFILTRATION]: The skill provides capabilities to extract sensitive information from the browser or terminal, such as
orca cookie get(retrieving session cookies),orca snapshot(extracting page content), andorca screenshot(capturing visual data).
Audit Metadata