oracle
Warn
Audited by Gen Agent Trust Hub on May 15, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill makes extensive use of
npx -y @steipete/oracle, which downloads an external package from the NPM registry and executes it immediately without user confirmation of the package source. - [REMOTE_CODE_EXECUTION]: By using the
npxcommand with external packages, the skill performs remote code execution of third-party code on the local system. - [COMMAND_EXECUTION]: The instructions direct the agent to execute shell commands to bundle files and interact with external processes (browsers or APIs).
- [DATA_EXFILTRATION]: The core functionality of the skill involves reading local source files (e.g.,
src/**) and transmitting their content to external AI platforms such as OpenAI's ChatGPT or other model APIs. - [PROMPT_INJECTION]: The skill is susceptible to indirect prompt injection (Category 8) because it ingests untrusted data from the local file system and interpolates it into a prompt for a secondary AI model.
- Ingestion points: Local files matched by the
--filepatterns inSKILL.md. - Boundary markers: None explicitly defined in the CLI arguments provided.
- Capability inventory: The
@steipete/oracletool has capabilities for file system access, network communication, and browser automation. - Sanitization: There is no evidence of sanitization or filtering applied to the contents of the bundled files before they are sent to the target AI model.
Audit Metadata