opik
Fail
Audited by Gen Agent Trust Hub on Jun 17, 2026
Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
- [COMMAND_EXECUTION]: The skill provides instructions for Windows users to execute a PowerShell command using the
-ExecutionPolicy ByPassflag to run the localopik.ps1script, bypassing script execution restrictions for that process. It also facilitates the execution of local shell scripts and Docker Compose for server management. - [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8):
- Ingestion points: The skill captures and processes traces and outputs from over 50 LLM frameworks and arbitrary code via decorators, as described in
SKILL.mdandscripts/install.sh. - Boundary markers: There are no delimiters or instructions provided to the agent to treat this captured data as untrusted or to isolate it from its own instruction processing.
- Capability inventory: The skill allows for environment interaction through the
Bash,Write,Edit, andWebFetchtools, which could be leveraged if malicious content in a trace were successfully executed by the agent. - Sanitization: There are no documented mechanisms for sanitizing or validating the content of the LLM traces before they are processed.
- [REMOTE_CODE_EXECUTION]: The
scripts/install.shscript downloads the installer for theuvpackage manager fromhttps://astral.sh/uv/install.shand pipes it to the shell. This is a standard deployment pattern for a well-known developer tool. - [EXTERNAL_DOWNLOADS]: The skill references and clones the official Opik repository from GitHub at
https://github.com/comet-ml/opik.gitfor local server setup.
Recommendations
- HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata