PrivateInvestigator
Warn
Audited by Gen Agent Trust Hub on Mar 5, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill's workflows (FindPerson.md, ReverseLookup.md, SocialMediaSearch.md) instruct the agent to install third-party Python packages 'holehe' and 'sherlock-project' using pip. These packages are not pinned to specific versions and originate from third-party sources, which poses a risk of supply chain attacks where malicious code could be introduced through the package repository.
- [COMMAND_EXECUTION]: The skill executes multiple command-line utilities, including 'curl' for local network notifications to http://localhost:8888 and OSINT tools like 'sherlock' and 'holehe'. Additionally, the skill dynamically loads configurations from the user's home directory (~/.opencode/skills/CORE/USER/SKILLCUSTOMIZATIONS/) to override its core behavior, which allows for behavior modification based on local file content.
- [PROMPT_INJECTION]: The skill possesses an extensive attack surface for indirect prompt injection (Category 8) due to its data collection and multi-agent synthesis model. * Ingestion points: The skill pulls data from numerous uncontrolled external sources including social media profiles, property records, and search aggregators in FindPerson.md and SocialMediaSearch.md. * Boundary markers: The instructions for research agents lack delimiters or explicit warnings to ignore embedded commands within the scraped content. * Capability inventory: The agent has access to system commands (pip, curl) and subprocess execution for OSINT tools. * Sanitization: No evidence of input validation or sanitization is present before the ingested external data is processed and reported to the user.
Audit Metadata