openclone
Warn
Audited by Gen Agent Trust Hub on Jun 27, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill instructs the user to download code from external GitHub repositories, specifically
https://github.com/open-clone/openclonefor the core tool andhttps://github.com/akillness/oh-my-godsfor plugin installation. - [REMOTE_CODE_EXECUTION]: The installation process involves a 'sparse checkout' of a remote repository followed by the execution of a
./setupscript. This allows for the execution of arbitrary shell commands provided by the external repository on the host machine. - [COMMAND_EXECUTION]: The skill makes extensive use of the
Bashtool to perform installation steps, manage a local file-based database in~/.openclone, and run the persona management commands. - [PROMPT_INJECTION]: The skill implements a 'knowledge injection' feature via the
/openclone ingestcommand, which fetches data from external URLs and YouTube transcripts to populate persona context. This creates a surface for indirect prompt injection, where malicious instructions hidden in the ingested web content could influence the agent's behavior during subsequent chat sessions. - Ingestion points:
SKILL.md(Instruction Step 4: Inject knowledge into a clone) - Boundary markers: The instructions do not specify any delimiters or safety headers to separate ingested 'knowledge' from the persona's core system instructions.
- Capability inventory: The skill has access to powerful tools including
Bash,WebFetch,Write, andEdit(listed inallowed-tools). - Sanitization: There is no mention of sanitization, filtering, or validation of the content retrieved from external URLs before it is stored in the local markdown files used for prompt context.
Audit Metadata