Skills
skills/joeseesun/opencli/qiaomu-opencli-browser/Gen Agent Trust Hub

qiaomu-opencli-browser

Fail

Audited by Gen Agent Trust Hub on May 15, 2026

Risk Level: HIGHCOMMAND_EXECUTIONDATA_EXFILTRATIONREMOTE_CODE_EXECUTIONPROMPT_INJECTION
Full Analysis
  • [DATA_EXFILTRATION]: Access to Active Browser Sessions. The skill is designed to interact with websites using the user's existing authenticated sessions. This provides the agent with the ability to read private data from any logged-in site (e.g., reading emails, accessing financial information, or viewing internal company dashboards) without further authentication.
  • [COMMAND_EXECUTION]: Arbitrary JavaScript Execution. The opencli browser eval command permits the execution of arbitrary JavaScript code within the browser context. This allows the agent to bypass standard user interface interactions, manipulate page elements, or extract data that is not readily visible in the DOM.
  • [DATA_EXFILTRATION]: Network Traffic Inspection. The opencli browser network tool allows the agent to inspect network requests and their full response bodies. This could lead to the capture of sensitive information such as session tokens, authorization headers, or private data transmitted via APIs.
  • [REMOTE_CODE_EXECUTION]: Dynamic Script Generation and Execution. The skill documentation describes a workflow using init and verify commands to generate TypeScript adapter scripts in the user's home directory (~/.opencli/clis/) and execute them. This provides a mechanism for the agent to create and run its own code to automate complex tasks.
  • [PROMPT_INJECTION]: Indirect Prompt Injection Surface. The skill allows the agent to navigate the live web and process content from arbitrary websites, exposing it to instructions embedded by malicious third parties.
  • Ingestion points: External websites accessed through the open command.
  • Boundary markers: Absent; there are no instructions provided to the agent to distinguish between user commands and data retrieved from the web.
  • Capability inventory: The skill has extensive control over the browser (click, type, eval), the ability to write files (Write), and execute shell commands (Bash).
  • Sanitization: No content validation or sanitization mechanisms are described for data retrieved from external sources before it is processed by the agent.
Recommendations
  • AI detected serious security threats
Audit Metadata
Risk Level
HIGH
Analyzed
May 15, 2026, 02:34 AM