Skills
skills/aradotso/trending-skills/openless-voice-input/Gen Agent Trust Hub

openless-voice-input

Warn

Audited by Gen Agent Trust Hub on May 3, 2026

Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [EXTERNAL_DOWNLOADS]: The skill instructs users to clone a repository from an unverified GitHub account (appergb/openless) and download pre-built binaries from GitHub Releases.
  • [REMOTE_CODE_EXECUTION]: The installation and build process involves running npm ci and cargo install, which download and execute numerous third-party dependencies from public registries. It also includes the execution of a local shell script ./scripts/build-mac.sh for production builds.
  • [COMMAND_EXECUTION]: The documentation provides multiple shell commands for development, building, and troubleshooting, such as npm run tauri dev, cargo check, and curl tests for the Ark endpoint.
  • [DATA_EXFILTRATION]: The skill describes accessing application-specific sensitive data stored in the macOS/Windows Keychain and a fallback file at ~/.openless/credentials.json (mode 0600).
  • [PROMPT_INJECTION]: The application creates a surface for indirect prompt injection by processing potentially untrusted voice input through an LLM and inserting the result into system-wide text fields.
  • Ingestion points: Mic audio is converted to a transcript and passed to an LLM in polish.rs.
  • Boundary markers: The skill uses system prompts to instruct the LLM to only 'reshape' text and explicitly forbids answering questions.
  • Capability inventory: The insertion.rs component uses Accessibility and synthetic input APIs to write text into the active cursor of any running application.
  • Sanitization: The documentation notes the use of LLM-based constraints but does not mention programmatic sanitization or filtering of the transcript before LLM processing.
Audit Metadata
Risk Level
MEDIUM
Analyzed
May 3, 2026, 09:22 PM