Skills
skills/uxfion/skills/opencli/Gen Agent Trust Hub

opencli

Warn

Audited by Gen Agent Trust Hub on Mar 29, 2026

Risk Level: MEDIUMDATA_EXFILTRATIONPROMPT_INJECTIONCOMMAND_EXECUTIONREMOTE_CODE_EXECUTION
Full Analysis
  • [DATA_EXFILTRATION]: The skill is designed to reuse the user's authenticated Chrome sessions to access private data across numerous platforms, including Bilibili, Twitter, Facebook, LinkedIn, and Xiaohongshu. It can read notifications, private messages, bookmarks, and account details, exposing this sensitive information to the AI agent's context.
  • [PROMPT_INJECTION]: The skill acts as a major surface for indirect prompt injection. It fetches content from public and untrusted sources (e.g., tweets, Reddit comments, Hacker News posts) and converts them into Markdown for the agent. Malicious instructions embedded in these external sources could hijack the agent's behavior to perform unauthorized actions.
  • [COMMAND_EXECUTION]: The skill executes shell commands by wrapping external CLIs such as gh (GitHub CLI). It also allows for the execution of arbitrary JavaScript within the browser context via page.evaluate and YAML-based pipeline steps, which can be used to manipulate web pages or intercept network traffic.
  • [REMOTE_CODE_EXECUTION]: The skill implements a dynamic adapter system that automatically loads and executes TypeScript or YAML files from specific directories. This mechanism, combined with the synthesize and record features, allows for the runtime generation and execution of new automation logic.
  • [DATA_EXFILTRATION]: Evidence Chain for Indirect Prompt Injection surface:
  • Ingestion points: Commands like twitter search, reddit read, medium feed, and web read ingest untrusted content from the public web into the agent's context.
  • Boundary markers: The skill does not describe any specific delimiters or instructions to help the agent distinguish between its core instructions and the fetched web content.
  • Capability inventory: The skill has the capability to write data (post tweets, send messages on LinkedIn/Boss), modify account settings (follow/block users), and execute local commands via external CLI wrappers.
  • Sanitization: There is no evidence of sanitization or filtering of the fetched content before it is presented to the AI agent.
Audit Metadata
Risk Level
MEDIUM
Analyzed
Mar 29, 2026, 04:37 PM