opencontext
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONCREDENTIALS_UNSAFE
Full Analysis
- [Unverifiable Dependencies & Remote Code Execution] (MEDIUM): The skill instructs the agent to install an external npm package (
@aicontextlab/cli) from a non-trusted GitHub author (0xranx). This package is then executed to initialize the environment, representing an unverified software supply chain risk. - [Persistence Mechanisms] (MEDIUM): To achieve its core purpose of 'Persistent Memory,' the skill modifies user-level configuration files including
~/.cursor/mcp.json,~/.claude/mcp.json, and directories like~/.cursor/commands. While functional for the skill's purpose, this behavior allows external code to maintain a permanent presence in the agent's operating environment. Severity is downgraded from HIGH as this is the primary stated purpose of the skill. - [Data Exposure & Exfiltration] (LOW): The skill configuration process encourages users to input sensitive credentials (
EMBEDDING_API_KEY) into the CLI. While no direct exfiltration code is visible in the markdown, these secrets are handed over to an untrusted external binary. - [Indirect Prompt Injection] (LOW): The skill provides tools like
oc_searchandoc_manifestthat ingest untrusted data from documents in~/.opencontext/contextsinto the agent's prompt context. - Ingestion points:
oc searchresults and document retrieval tools. - Boundary markers: Absent from the documentation; external content is likely interpolated directly.
- Capability inventory: The agent has access to
Bash,Write, andGrep, which could be exploited if malicious instructions are retrieved from the context store. - Sanitization: None specified in the workflow.
Audit Metadata