OSINT
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill executes shell commands using
curlto send status updates and notifications to a local service endpoint. - Evidence: Command blocks targeting
http://localhost:8888/notifyare present inSKILL.mdand all workflow files in theWorkflows/directory. - [COMMAND_EXECUTION]: Dynamic path resolution for storing investigation artifacts is performed using
jqin command substitution. - Evidence: Path definitions in
SKILL.mdandMethodology.mduse$(jq -r ...)to resolve the active work directory. - [PROMPT_INJECTION]: The skill exhibits a significant attack surface for indirect prompt injection due to its primary function of ingesting data from uncontrolled external sources.
- Ingestion points: Untrusted content from websites, social media, and public records is processed during Phase 3 of the
CompanyLookup,PeopleLookup, andEntityLookupworkflows. - Boundary markers: The skill does not define explicit delimiters or instructions to help sub-agents distinguish between retrieved data and core instructions.
- Capability inventory: The skill has the ability to execute shell commands (
curl,jq) and perform file system operations. - Sanitization: No sanitization or validation logic is specified for data gathered from external OSINT sources.
- [PROMPT_INJECTION]: The skill includes instructions to prioritize and apply behavioral overrides from a user-controlled local directory.
- Evidence: The 'Customization' section in
SKILL.mddirects the agent to load and applyPREFERENCES.mdand configurations from~/.opencode/skills/CORE/USER/SKILLCUSTOMIZATIONS/OSINT/which override default behaviors.
Audit Metadata