opencli-usage
Warn
Audited by Gen Agent Trust Hub on May 19, 2026
Risk Level: MEDIUMREMOTE_CODE_EXECUTIONCOMMAND_EXECUTIONDATA_EXFILTRATIONEXTERNAL_DOWNLOADSPROMPT_INJECTION
Full Analysis
- [REMOTE_CODE_EXECUTION]: The skill documents the
opencli plugin install github:user/repocommand, which allows the installation and execution of code from arbitrary GitHub repositories. This enables the execution of unverified third-party logic within the user's environment. - [COMMAND_EXECUTION]: The
opencli external installandopencli external registerfeatures allow the skill to install and invoke arbitrary command-line tools, inheriting the user's permissions. - [DATA_EXFILTRATION]: The tool supports strategies like
COOKIEandINTERCEPTthat capture authentication tokens and cookies from active, logged-in Chrome sessions to automate site interactions. While this is the intended purpose, it represents access to highly sensitive session data. - [EXTERNAL_DOWNLOADS]: The skill instructions involve downloading the core utility from the NPM registry (
@jackwener/opencli) and cloning source code from the vendor's GitHub repository (github.com/jackwener/OpenCLI). - [PROMPT_INJECTION]: The tool provides an automated path for the agent to ingest data from arbitrary websites, creating a significant attack surface for indirect prompt injection.
- Ingestion points: Data retrieved from external websites and Electron apps via
opencli <site> <command>. - Boundary markers: None identified in the instruction set to separate untrusted web content from agent instructions.
- Capability inventory: The skill can execute shell commands (
opencli), write to the home directory (~/.opencli), and install/run third-party plugins. - Sanitization: No explicit sanitization or filtering of website content is documented before the data is processed by the agent.
Audit Metadata