skills/akillness/jeo-skills/opik/Gen Agent Trust Hub

opik

Fail

Audited by Gen Agent Trust Hub on Jun 17, 2026

Risk Level: HIGHCOMMAND_EXECUTIONPROMPT_INJECTIONREMOTE_CODE_EXECUTIONEXTERNAL_DOWNLOADS
Full Analysis
  • [COMMAND_EXECUTION]: The skill provides instructions for Windows users to execute a PowerShell command using the -ExecutionPolicy ByPass flag to run the local opik.ps1 script, bypassing script execution restrictions for that process. It also facilitates the execution of local shell scripts and Docker Compose for server management.
  • [PROMPT_INJECTION]: The skill presents an indirect prompt injection surface (Category 8):
  • Ingestion points: The skill captures and processes traces and outputs from over 50 LLM frameworks and arbitrary code via decorators, as described in SKILL.md and scripts/install.sh.
  • Boundary markers: There are no delimiters or instructions provided to the agent to treat this captured data as untrusted or to isolate it from its own instruction processing.
  • Capability inventory: The skill allows for environment interaction through the Bash, Write, Edit, and WebFetch tools, which could be leveraged if malicious content in a trace were successfully executed by the agent.
  • Sanitization: There are no documented mechanisms for sanitizing or validating the content of the LLM traces before they are processed.
  • [REMOTE_CODE_EXECUTION]: The scripts/install.sh script downloads the installer for the uv package manager from https://astral.sh/uv/install.sh and pipes it to the shell. This is a standard deployment pattern for a well-known developer tool.
  • [EXTERNAL_DOWNLOADS]: The skill references and clones the official Opik repository from GitHub at https://github.com/comet-ml/opik.git for local server setup.
Recommendations
  • HIGH: Downloads and executes remote code from: https://astral.sh/uv/install.sh - DO NOT USE without thorough review
Audit Metadata
Risk Level
HIGH
Analyzed
Jun 17, 2026, 07:07 AM
Security Audit — agent-trust-hub — opik