oracle
Fail
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- EXTERNAL_DOWNLOADS (HIGH): The skill relies on
npx -y @steipete/oracle, which fetches and runs code from the npm registry without user confirmation. The author@steipeteis not a pre-approved trusted source, posing a risk of supply chain attacks. - REMOTE_CODE_EXECUTION (HIGH): The skill documents a 'Remote browser host' feature (
oracle serve --host 0.0.0.0) that opens a listening port (9473) on the host machine. This allows remote control of the system via a token, which is a high-risk capability if exposed. - DATA_EXFILTRATION (MEDIUM): The skill is designed to read local files via the
--fileargument and transmit their contents to external AI model providers (OpenAI, Gemini) or browser sessions. This creates a risk of exfiltrating proprietary code or configuration secrets. - COMMAND_EXECUTION (MEDIUM): The skill facilitates the execution of shell commands through the
npxutility, providing the AI agent with a direct method to run arbitrary code on the local machine. - PROMPT_INJECTION (LOW): The skill is vulnerable to indirect prompt injection because it processes untrusted local files without explicit sanitization or boundary enforcement.
- Ingestion points: Local files and directories provided via the
--fileflag. - Boundary markers: Absent; the skill bundles raw file content directly into the model prompt.
- Capability inventory: Shell command execution (
npx), file system read access, and network communication (to AI APIs). - Sanitization: Absent; the instructions do not specify any validation or filtering of the file contents before they are processed by the AI.
Recommendations
- AI detected serious security threats
Audit Metadata