opencli-operate
Warn
Audited by Gen Agent Trust Hub on Apr 4, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill is designed to leverage existing browser login sessions. It provides tools like
state,get html, andnetworkthat allow an AI agent to extract sensitive information, including page content, DOM structures, and API request/response data from authenticated web contexts. - [REMOTE_CODE_EXECUTION]: The skill instructions include a 'Sedimentation' workflow where the agent is encouraged to generate and write executable TypeScript adapters to
~/.opencli/clis/. These files are intended to be executed by theopenclitool, creating a pathway for persistent, locally-stored code execution. - [COMMAND_EXECUTION]: The
opencli operate evalcommand permits the execution of arbitrary JavaScript code within the context of the active browser page. While used for data extraction, this provides a surface for runtime code injection in the browser. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the web.
- Ingestion points: Arbitrary web content is retrieved via
opencli operate state,get html, andnetworkmonitoring. - Boundary markers: The instructions lack explicit requirements for using delimiters or boundary markers when the agent processes retrieved web content.
- Capability inventory: The agent has the ability to write files (
Write,opencli init), execute browser commands (Bash), and inspect network traffic. - Sanitization: There are no instructions for sanitizing or escaping content scraped from websites before it is processed by the agent or used in subsequent tool calls.
Audit Metadata