multi-ai-research
Fail
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: HIGHEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONDATA_EXFILTRATIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The skill requires the user to install the '@jackwener/opencli' package globally from NPM. This is an unverified third-party dependency from a source not included in any trusted vendor lists.
- [COMMAND_EXECUTION]: The skill uses the Bash tool to execute 'opencli' and 'twitter' commands. These commands are constructed using dynamic string interpolation (e.g., 'opencli grok ask "{{PROMPT}}"') based on user-supplied research questions. This pattern is vulnerable to command injection if the input contains shell metacharacters such as backticks or semicolons.
- [DATA_EXFILTRATION]: The skill explicitly sends internal data summaries, research context, and metadata like file paths and database locations (as seen in Phase 2 templates) to external AI services including Grok and Gemini. This represents a flow of internal environment information to non-whitelisted external domains.
- [PROMPT_INJECTION]: The skill is vulnerable to Indirect Prompt Injection (Category 8). Ingestion points: Data is ingested from the outputs of 'opencli' (Grok/Gemini) and 'twitter' CLI tools. Boundary markers: There are no explicit delimiters or system-level instructions to ignore embedded commands within the fetched external content. Capability inventory: The skill can execute Bash commands, write files (artifacts), and spawn multiple sub-agents. Sanitization: No evidence of filtering, escaping, or validation was found for the external content before it is used to generate final action items and recommendations.
Recommendations
- AI detected serious security threats
Audit Metadata